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In the last decade, a number of public key cryptosystems based on com- 
binatorial group theoretic problems in braid groups have been proposed. 
We survey these cryptosystems and some known attacks on them. 

This survey includes: Basic facts on braid groups and on the Garside 
normal form of its elements, some known algorithms for solving the word 
problem in the braid group, the major public-key cryptosystems based on 
the braid group, and some of the known attacks on these cryptosystems. 
We conclude with a discussion of future directions (which includes also a 
description of cryptosystems which are based on other non-commutative 
groups) . 
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1.1. Introduction 



In many situations, we need to transfer data in a secure way: credit cards 
information, health data, security uses, etc. The idea of public-key cryptog- 
raphy in general is to make it possible for two parties to agree on a shared 
secret key, which they can use to transfer data in a secure way (see [73]). 

There are several known public-key cryptosystems which are based on 
the discrete logarithm problem, which is the problem of finding x in the 
equation g^ — h where g, h are given, and on the factorization problem, 
which is the problem of factoring a number to its prime factors: Diffie- 
Hellman [381 and RS A 11061 . These schemes are used in most of the present- 
day applications using public-key cryptography 

There are several problems with this situation: 

• Subexponential attacks on the current cryptosystems' un- 
derlying problems: Diffie-Hellman and RSA are breakable in 
time that is subexponential (i.e. faster than an exponential) in the 
size of the secret key [2j. The current length of secure keys is at 
least 1000 bits. Thus, the length of the key should be increased 
every few years. This makes the encryption and decryption algo- 
rithms very heavy. 

• Quantum computers: If quantum computers will be imple- 
mented in a satisfactory way, RSA will not be secure anymore, 
since there are polynomial (in log(7i)) run-time algorithms of Peter 
Shor IllOl which solve the factorization problem and the discrete 
logarithm problem. Hence, it solves the problems which RSA and 
Difhe-Hellman are based on (for more information, see for example 

E). 

• Too much secure data is transferred in the same method: 

It is not healthy that most of the secure data in the world will be 
transferred in the same method, since in case this method will be 



April 16, 2009 22:45 World Scientific Review Volume - 9in x 6in BGCiecturenotes'fina! 



4 David Garber 

broken, too much secure data will be revealed. 

Hence, for solving these problems, one should look for a new public-key 
cryptosystem which on one hand will be efficient for implementation and 
use, and on the other hand will be based on a problem which is different 
from the discrete logarithm problem and the factorization problem. More- 
over, the problem should have no subexponential algorithm for solving it, 
and it is preferable that it has no known attacks by quantum computers. 

Combinatorial group theory is a fertile ground for finding hard prob- 
lems which can serve as a base for a cryptosystem. The braid group defined 
by Artin [7 is a very interesting group from many aspects: it has many 
equivalent presentations in entirely different disciplines; its word problem 
(to determine whether two elements are equal in the group) is relatively 
easy to solve, but some other problems (as the conjugacy problem, decom- 
position problem, and more) seem to be hard to solve. 

Based on braid group and its problems, two cryptosystems were sug- 
gested about a decade ago: by Anshcl, Anshel and Goldfeld in 1999 [5] and 
by Ko, Lee, Cheon, Han, Kang and Park in 2000 [72]. These cryptosystems 
initiated a wide discussion about the possibilities of cryptography in the 
braid group especially, and in groups in general. 

An interesting point which should be mentioned here is that the conju- 
gacy problem in the braid group attracted people even before the cryp- 
tosystems on the braid groups were suggested (see, for example, [43l 
ISTI). After the cryptosystems were suggested, some probabilistic solutions 
were given [48l |49l [65] , but it gave a great push for the efforts to solve the 
conjugacy problem theoretically in polynomial time (see fl4 | [T5 l fT6l [53] [54 [ 
[Sg [Ml [Til [791 [80] and many more). 

The potential use of braid groups in cryptography led to additional 
proposals of cryptosystems which are based on apparently hard problems in 
braid groups (Decomposition problem 11131 , Triple Decomposition problem 
1751 . Shifted Conjugacy Search problem fSO , and more) and in other groups, 
like Thompson Groups Ill2l . polycyclic groups lU and more. For more 
information, see the new book of Myasnikov, Shpilrain and Ushakov [98] . 

In these notes, we try to survey this fascinating subject. Section 11.21 
deals with some different presentations of the braid group. In Section [T751 
we describe two normal forms for elements in the braid groups. In Section 
11.41 we give several solutions for the word problem in the braid group. Sec- 
tion 11.51 introduces the notion of public-key cryptography. In Section II. 6[ 



April 16, 2009 22:45 World Scientific Review Volume - 9in x 6in BGCiecturenotes'fina! 



Braid Group Cryptography 5 

the first cryptosystems which are based on the braid group are presented. 
Section 11.71 is devoted to the theoretical solution to the conjugacy search 
problem., using the different variants of Summit Sets. In Section 11.81 we 
describe some more attacks on the conjugacy search problem. In Section 
11.91 we discuss some more suggestions for cryptosystems based on the braid 
group and their cryptanalysis. Section Fl . 101 deals with the option of chang- 
ing the distribution for choosing a key. In Section [l.lli we deal with some 
suggestions for cryptosystems which are based on other non-commutative 
groups. 

1.2. The braid group 

1.2.1. Basic definitions 

The braid groups were introduced by Artin [7] . There are several definitions 
for these groups (see [T3lll07n . and we need two of them for our purposes. 

1.2.1.1. Algebraic presentation 

Definition 1.1. For n > 2, the braid group i?„ is defined by the presenta- 
tion: 



CTi,. 



aja^ for \i - j\ > 2 



for 1 1 — J I = 1 ' 



This presentation is called the Artin presentation and the generators are 
called Artin's generators. 

An element of i3„ will be called an n-braid. For each n, the identity 
mapping on {ai, . . . , cTn-i} induces an embedding of i?„ into Bn+i, so that 
we can consider an n-braid as a particular (n -I- l)-braid. Using this, one 
can define the limit group Boa- 

Note that B2 is an infinite cyclic group, and hence it is isomorphic to 
the group Z of integers. For n > 3, the group Bn is not commutative and 
its center is an infinite cyclic subgroup. 

When a group is specified using a presentation, each clement of the 
group is an equivalence class of words with respect to the congruence gen- 
erated by the relations of the presentation. Hence, every n-braid is an 
equivalence class of n-braid words under the congruence generated by the 
relations in Presentation (|1.2.ip . 
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1.2.1.2. Geometric interpretation 

The elements of -B„ can be interpreted as geometric braids with n strands. 
One can associate with every braid the planar diagram obtained by con- 
catenating the elementary diagrams of Figure fTTTJ corresponding to the suc- 
cessive letters. 





,-1 



Fig. 1.1. The geometric Artin generators 



A braid diagram can be seen as induced by a three-dimensional figure 
consisting on n disjoint curves connecting the points (1, 0, 0), ... , (n, 0, 0) 
to the points (1, 0, 1), . . . , (n,0, 1) in M^ (gee Figure [L2l). 




Fig. 1.2. An example of a braid in B5 



Then the relations in Presentation p.2.ip correspond to ambient isotopy, 
that is: to continuously move the curves without moving their ends and 
without allowing them to intersect (see Figures [TT51 and [L^ : the converse 
implication, i.e., the fact that the projections of isotopic 3-dimensional 
figures can always be encoded in words connected by presentation (|1.2.ip 
was proved by Artin in '7^. Hence, the word problem in the braid group 
for the Presentation (|1.2.ip is also the braid isotopy problem, and thus it is 
closely related to the much more difficult knot isotopy problem. 
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12 3 4 



Fig. 1.3. The commutative relation for geometric Artin generators 





' 1" 2" 1 



' 2" 1" 2 



Fig. 1.4. The triple relation for geometric Artin generators 

1.2.2. Birman-Ko-Lee presentation 

Like Artin's generators, the generators of Birman-Ko-Lee [TT] are braids in 
which exactly one pair of strands crosses. The difference is that Birnian-Ko- 
Lee's generators includes arbitrary transpositions of strands {i,j) instead 
of adjacent transpositions {i,i + 1) in the Artin's generators. For each t, s 
with 1 < s < t < n, define the following element of i3„: 

a-ts ~ (o't-lO'f-2 ■ • • crs+l)o's(o'7+i • • • 0'tl2^t^l) 

See Figure 11.51 for an example (note that the braid ats is an elementary 
interchange of the ith and sth strands, with all other strands held fixed, 
and with the convention that the strands being interchanged pass in front 
of all intervening strands). Such an element is called a band generator. 
Note that the usual Artin generator at is the band generator at+i^t- 
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Fig. 1.5. The band generator 

This set of generators satisfies the foUowing relations (see [TTl Proposi- 
tion 2.f] for a proof): 

• atsarq = arqttts if [s, t] H [q, r] = 0. 

• atsO^sr = o-trO'ts = asrO-tr for l<r<s<t<n. 

For a geometric interpretation of the second relation, see Figure 11.61 






Fig. 1.6. The second relation of the Birman-Ko-Lee presentation 



1.2.2.1. A geometric viewpoint on the difference between presenta- 
tions 

A different viewpoint on the relation between the two presentations is as 
follows: one can think on the braid group as the isotopy classes of boundary- 
fixing homeomorphisms on the closed disk D„ C C^ centered at with n 
punctures 7]. 

In this viewpoint, for presenting the Artin generators, we locate the 
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punctures on the real line, and the generator ai is the homeomorphisni 
which exchanges the points i and i + 1 along the real line (see Figure fLT]) . 




Fig. 1.7. The Artin generator 0-3 

On the other hand, for illustrating the generators ats of the Birman-Ko- 
Lee presentation, let us take the punctures organized as the vertices of a n- 
gon contained in the disk D„. Now, the generator ats is the homeomorphism 
which exchanges the points t and s along the chord connecting them (see 
Figure [HI). 




Fig. 1.8. The Birman-Ko-Lee generator 053 

For more information, see [QIITQ]. 



1.3. Normal forms of elements in the braid group 

A normal form of an element in a group is a unique presentation to each 
element in the group. 

Having a normal form for elements in the group is very useful, since it 
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lets us compare two elements, so it gives a solution for the word problem: 

Problem 1.1. Given a braid w, does w = e hold, i.e., does w represent the 
unit braid e (see Figure \1.9\) ? 




Fig. 1.9. The unit braid e £ B5 

Since i?„ is a group, the above problem is equivalent to the following 
problem: 

Problem 1.2. Given two braids w,w', does w = w' hold, i.e., do w and 
w' represent the same braid? 

Indeed, w = w' is equivalent to w^^w' = e, where w~^ is the word obtained 
from w by reversing the order of the letters and exchanging ai and (j~ 
everywhere. 

Also, the normal form gives a canonical representative of each equiva- 
lence class. 

We present here two known normal forms of elements in the braid group. 
For more normal forms, see l20l [3T1 [40] . 



1.3.1. Garside normal form 

The Garside normal form is initiated in the work of Garside 1511 , and several 
variants have been described in several partly independent papers (TJ [37l 
14311441 [T2T]. 

We start by defining a positive braid which is a braid which can be 
written as a product of positive powers of Artin generators. We denote the 
set of positive braids by B^. This set has a structure of a monoid under 
the operation of braid concatenation. 
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An important example of a positive braid, which has a central role in 
the Garside normal form, is the fundamental braid A„ G Bn'- 

A„ = (tJi • • • cr„_i)(CTi • • • cr„_2) • • • CTi 

Geometrically, A„ is the braid on n strands, where any two strands 
cross positively exactly once (see Figure ll.lOp . 




'\=°1<'2°3°1'^2°1 



Fig. 1.10. The fundamental braid A4 



The fundamental braid has several important properties: 

(1) For any generator Ui^ we can write A.„ = cjiA = Bui where A^B are 
positive braids. 

(2) For any generator ct^, the following holds: 

T{(Ji) ~ A~ CTjAn — Un-i 

(the inner automorphism r on i?„ is called the shift, map). 

(3) A^ is the generator of the center of Bn- 

Now, we introduce permutation braids. One can define a partial order 
on the elements of Bn- for A, B £ Bn, we say that A is a prefix of B and 
write A ^ B ii B — AC for some C in _B+. Its simple properties are: 

(1) B£B+^e<B 

(2) A^ B^ B-^ ^ A-i. 

P G Bn is a permutation braid (or a simple braid) if it satisfies: s ^ P ^ 
A„. Its name comes from the fact that there is a bijection between the set 
of permutation braids in _B„ and the symmetric group S'„ (there is a natural 
surjective map from Bn to Sn defined by sending i to the ending place of the 
strand which starts at position i, and if we restrict ourselves to permutation 
braids, this map is a bijection). Hence, we have n\ permutation braids. 
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Geometrically, a permutation braid is a braid on n strands, where any 
two strands cross positively at most once. 

Given a permutation braid P, one can define a starting set S{P) and a 
finishing set F{P) as follows: 

S{P) = {i\P = a,P' for some P' G B+} 

F{P) ^{i\P^ P'a, for some P' e B+} 

The starting set is the indices of the generators which can start a pre- 
sentation of P. The finishing set is defined similarly. For example, 
5(A„)=F(A„) = {l,...,n-l}. 

A left-weighted decomposition of a positive braid A G B^ into a sequence 
of permutation braids is: 

where Pi are permutation braids, and ^(Pi+i) C F{Pi), i.e. any addition 
of a generator from P^+i to Pi, will convert Pi into a braid which is not a 
permutation braid. 

Example 1.1. The following braid is left-weighted: 
3 




12 2 1 



The following braid is not left- weighted, due to the circled crossing which 
can be moved to the first permutation braid: 




c c a a c 

12 2 12 
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Now, we show it algebraically: 

ai(T2 ■ <72<^l0'2 — CriO'2 ■ (TiCT2Cri = (Ti(T2Cri • Cr2(Ti 

The following theorem introduces the Garside normal form (or left nor- 
mal form or greedy normal form) and states its uniqueness: 

Theorem 1.2. For every braid w G -B„, there is a unique presentation 
given by: 

w = A;FiP2 ■■■Pk 

where r G Z is maximal, Pi are permutation braids, Pk ^ e and P1P2 ■ ■ ■ Pk 
is a left-weighted decomposition. 

For converting a given braid w into its Garside normal form we have to 
perform the following steps: 

(1) For any negative power of a generator, replace a^ by A~^Bi where 
Bi is a permutation braid. 

(2) Move any appearance of A„ to the left using the relation: 
A~^aiAn = T{ai) = Un-i- So we get: w — AJ^ A where A is a positive 
braid. 

(3) Write ^ as a left-weighted decomposition of permutation braids. The 
way to do this is as follows: Take A, and break it into permutation 
braids (i.e. we take the longest possible sequences of generators which 
are still permutation braids). Then we get: A — Q1Q2 ■ ■ ■ Qj where 
each Qi is a permutation braid. For each i, we compute the finishing 
set F{Qi) and the starting set S'((5j+i). In case the starting set is not 
contained in the finishing set, we take a generator a G S{Qi^i)\F(Qi), 
and using the relations of the braid group we move it from Qi+i to 
Qi. Then, we get the decomposition A — Q1Q2 • • ■ Q'iQ'i+i ■ ■ 'Qj- We 
continue this process till we have S{Qi+i) C F{Qi) for every i, and then 
we have a left- weighted decomposition as needed. For more details, see 
[43I and [56l Proposition 4.2] (in the latter reference, it is done based 
on their new idea of local slidings, see Section fl. 7. 51 below) . 

Example 1.2. Let us present the braid w = o'iO'3"^o'2 <= B4 in Garside 
normal form. First, we should replace a^ by: A4 cr3cr2CiC3C2, so we get: 

w — ai ■ A^^(T3(T2aia3a2 ■ (J2 

Now, moving A4 to the left yields: 

W = A7 • 0-3 0-3 (T20'l 0-3 0-2 172 
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Decomposing the positive part into a left-weighted decomposition, we get: 

W — Aj ■ cr20'icr3Cr2Cri ■ criO'2 

The complexity of transforming a word into a canonical form with re- 
spect to the Artin presentation is 0{\W\'^n\ogn) where |W^| is the length 
of the word in _B„ |44l Section 9.5]. 

In a similar way, one can define a right normal form. A right-weighted 
decomposition of a positive braid A € B^ into a sequence of permutation 
braids is: 

A^Pk--- P2P1 

where Pi are permutation braids, and F{Pi^i) C S{Pi), i.e. any addition 
of a generator from P^+i to Pi, will convert Pi into a braid which is not a 
permutation braid. 

Now, one has the following theorem about the right normal form and 
its uniqueness: 

Theorem 1.3. For every braid w G Bn, there is a unique presentation 
given by: 

W^Pk---P2PlK 

where r G Z, Pi are permutation braids, and Pk ■ ■ ■ P2P1 is a right-weighted 
decomposition. 

For converting a given braid w into its right normal form we have to 
follow three steps, similar to those of the Garside normal form: We first 
replace a~^ by BiA^^. Then, we move any appearance of A„ to the right 
side. Then, we get: w — AA"^ where A is a positive braid. The last step is 
to write A as a right-weighted decomposition of permutation braids. 

Now we define the infimum and the supremum of a braid w: For w G i?„, 
set inf (w) — max{r : AJ^ ^ w} and sup(u;) = min{s : w < A^}. 

One can easily see that if w = A™PiP2 ■ ■ ■ Pk is the Garside normal 
form of w, then: inf (w) = m, sup(w) = m + k. 

The canonical length of w (or complexity of vu), denoted by i{w), is 
given by len(?x;) — sup(u;) — inf (w). Hence, if w is given in its normal form, 
the canonical length is the number of permutation braids in the form. 
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1.3.2. Birman-Ko-Lee canonical form 

Based on the presentation of Birman, Ko and Lee Il7l . they give a new 
canonical form for elements in the braid group. 
They define a new fundamental word: 

^n — an,n-lO'n~l,n-2 ' ' ' 12,1 = Cr„_iCT„_2 • • • CTi 

See Figure [T. Ill for an example for n = 4. 




^4=°3'^2°l 



Fig. 1.11. The fundamental braid 54 

One can easily see the connection between the new fundamental word 
and Garside's fundamental word A„: 



The new fundamental word Sn has important properties, similar to A„: 

(1) For any generator Usn we can write 6n = asrA = Bugr where A, B are 
positive braids (with respect to the Birman-Ko-Lee generators) 

(2) For any generator asr, the following holds: asrSn — Snas+i,r+i- 

Similar to Garside's normal form of braids, each element of i?„ has the 
following unique form in terms of the band generators: 

w ^ SiAiA2 ■ ■ ■ Ak, 

where A — A1A2 ■ ■ ■ Ak is positive, j is maximal and k is minimal for all 
such representations, also the ^l^'s are positive braids which are determined 
uniquely by their associated permutations (see [T71 Lemma 3.1]). Note that 
not every permutation corresponds to a canonical factor. We will refer to 
Garside's braids Pi as permutation braids, and to the Birman-Ko-Lee braids 
Ai as canonical factors. 
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Note that there are C„ — ^|. "^^^| (the nth Catalan number) different 
canonical factors for the band-generators presentation TT, Corollary 3.5], 
whence there are n\ different permutation braids for the Artin presentation. 
Since C„ is much smaller than n!, it is sometimes computationally easier 
to work with the band-generators presentation than the Artin presentation 
(see also Section U.S. 3.21 below). 

As in Garside's normal form, there is an algorithmic way to convert 
any braid to this canonical form: wc first convert any negative power of a 
generator to 5~^A where A is positive. Then, we move all the (5„ to the left, 
and finally we organize the positive word in a left-weighted decomposition 
of canonical factors. 

The complexity of transforming a word into a canonical form with re- 
spect to the Birman-Ko-Lee presentation is 0(|W^pn), where \W\ is the 
length of the word in i?„ [17] . 

As in Garside's normal form, one can define infimum, supremum and 
canonical length for the canonical form of the Birman-Ko-Lee presentation. 

1.4. Algorithms for solving the word problem in braid group 

Using e for the unit word (see Figure fT^]) . the word problem is the following 
algorithmic problem: 

Problem 1.3. Given one braid word w, does w = e hold, i.e., does w 
represent the unit braid e ? 

In this section, we will concentrate on some solutions for the word prob- 
lem in the braid group. 

1.4.1. Dehornoy's handles reduction 

The process of handle reduction has been introduced by Dehornoy 28 , and 
one can see it as an extension of the free reduction process for free groups. 
Free reduction consists of iteratively deleting all patterns of the form xx~^ 
or x~^x: starting with an arbitrary word w of length m, and no matter on 
how the reductions are performed, one finishes in at most m/2 steps with 
a unique reduced word, i.e., a word that contains no xx~^ or x~^x. 

Free reduction is possible for any group presentation, and in particular 
for Bn, but it docs not solve the word problem: there exist words that 
represent e e i?„, but do not freely reduce to the unit word. For example. 
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the word cri(T2Ci<T^ <tJ~ cr^ represents the unit word, but free reductions 
can not reduce it any more. 

The handle reduction process generalizes free reduction and involves not 
only patterns of the form xx~^ or x^^x, but also more general patterns of 
the form (Ti ■ ■ ■ a^ or a^ ■ ■ ■ Oi. 

Definition 1.4. A <Ti-handle is a braid word of the form 



w 



^z^Qcrf+iWiaf^^ 



7,+ lWm(J^ 



with e,d = ±1, m > 0, and wq, ■ ■ ■ , Wm containing no cr with j < i + 1- 
The reduction of w is defined as follows: 

i.e., we delete the initial and final letters cr^ , and we replace each letter 
a,^\ with a~^J^at^af_^_l (see Figure [US taken from 1291 ). 





handle 
reduction 




Fig. 1.12. An example for a handle reduction (for cti). The two circled crossings in the 
left side are the start and the end of the handle 



Note that a braid of the form o'ia~ or a^ ai is a handle, and hence we 
see that the handle reduction process generalizes the free reduction process. 

Reducing a braid yields an equivalent braid: as illustrated in Figure 
I1.12( the {i + l)th strand in a Ci-handle forms a sort of handle, and the 
reduction consists of pushing that strand so that it passes above the next 
crossings instead of below. So, as in the case of a free reduction, if there 
is a reduction sequence from a braid w to £, i.e., a sequence w = wo —^ 
wi -^ ■ ■ ■ ^ wn = E such that, for each k, Wk+i is obtained from Wk by 
replacing some handle of Wk by its reduction, then w is equivalent to e, i.e., 
it represents the unit word e. 

The following result of Dehornoy [5H] shows the converse implication 
and the termination of the process of handle reductions: 



Prop 1.1. Assume that w G i?„ has a length m. Then every reduction 
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4 

sequence starting from w leads in at most 2™ " steps to an irreducible 
braid (with respect to Dehornoy's reductions). Moreover, the unit word e 
is the only irreducible word in its equivalence class, hence w represents the 
unit braid if and only if any reduction sequence starting from w finishes 
with the unit word. 

A braid may contain many handles, so building an actual algorithm 
requires to fix a strategy prescribing in which order the handles will be 
reduced. Several variants have been considered; as can be expected, the 
most efficient ones use a "Divide and Conquer" trick. 

For our current purpose, the important fact is that, although the proved 
complexity upper bound of the above proposition is very high, handle re- 
duction is extremely efficient in practice, even more than the reduction to 
a normal form, see |29| . 

Remark 1.1. In [33', Dehornoy gives an alternative proof for the conver- 
gence of the handle reduction algorithm of braids which is both more simple 
and more precise than the one in his original paper on handle reductions 



1.4.2. Action on the fundamental group 

As we have pointed out at Section fl. 2. 2. 11 the braid group can be thought 
of as the isotopy classes of boundary-fixing homcomorphisms on the closed 
disk Dn C C^ centered at with n punctures pi , . . . , p„ ffj . It means that 
two elements are the same if their actions on 7ri(Z?„ \ {pi, . . . ,p„},m) are 
equal. 

In |47| , we propose the following solution for the word problem: we start 
with a geometric base for 7ri(£>„ \ {pi, . . . ,p„}, u) presented in Figure [T. 131 

Now, we apply the two braids on this initial geometric base. If the 
resulting bases are the same up to isotopy, it means that the braids are 
equal, otherwise they are different. 

In Figure I1.14[ there is a simple example of two equal braids which 
result the same base. 

This algorithm is very quick and efficient for short words, but its worst 
case is exponential. For more details on its implementation, see l47l . 

For more solutions for the word problem for the braid groups, see |39] . 
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Fig. 1.13. A geometric base 








Fig. 1.14. An example of applications of two equal braids a\a2(y\ 
initial geometric base 



cr2fTicr2 on the 



1.5. What is Public-Key Cryptography? 



The idea of Public-Key Cryptography (PKC) was invented by DifSe and 
Hellman [3S]. At the heart of this concept is the idea of using a one-way 
function for encryption (see the survey paper of KobHtz and Menezes [751 ). 
The functions used for encryption belong to a special class of one-way 
functions that remain one-way only if some information (the decryption 
key) is kept secret. If we use informal terminology, we can define a public- 
key encryption function as a map from plain text message units to cipher- 
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text message units that can be feasibly computed by anyone having the 
pubUc key, but whose inverse function (which deciphers the ciphertext mes- 
sage units) cannot be computed in a reasonable amount of time without 
some additional information, called the private key. 

This means that everyone can send a message to a given person using the 
same enciphering key, which can simply be looked up in a public directory 
whose contents can be authenticated by some means. There is no need for 
the sender to have made any secret arrangement with the recipient; indeed, 
the recipient need never have had any prior contact with the sender at all. 

Some of the purposes for which public-key cryptography has been ap- 
plied are: 

• Confidential message transmission: Two people want to exchange 
messages in the open airwaves, in such a way that an intruder observing 
the communication cannot understand the messages. 

• Key exchange or Key agreement: Two people using the open air- 
waves want to agree upon a secret key for use in some symmetric-key 
cryptosystem. The agreement should be in such a way that an intruder 
observing the communication cannot deduce any useful information 
about their shared secret. 

• Authentication: The prover wishes to convince the verifier that he 
knows the private key without enabling an intruder watching the com- 
munication to deduce anything about his private key. 

• Signature: The target in this part is: The sender of the message 
has to send the receiver a (clear or ciphered) message together with 
a signature proving the origin of the message. Each signature scheme 
may lead to an authentication scheme: in order to authenticate the 
sender, the receiver can send a message to the sender, and require that 
the sender signs this message. 

Now, we give some examples of the most famous and well-known public- 
key cryptosystems. 

1.5.1. Diffie-Hellman 

hi 1976, Diffie and HcUman fSB' introduced a key-exchange protocol which 
is based on the apparent difficulty of computing logarithms over a finite field 
Fq with q elements and on some commutative property of the exponent. 
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Their key-exchange protocol works as follows: 

Protocol 1.5. 

Public keys: q and a primitive element a. 
Private keys: Alice: Xi] Bob: Xj. 



Alice: Sends Bob Yi = a-^^ (mod q). 

^3 



Boh: Sends Alice Yj ~ a^^ (mod q) 



Shared secret key: Kij — a"^'^^ (mod q) 

Kij is indeed a shared key since Alice can compute Kij — Y- * (mod q) 
and Bob can compute K^ — Y^ ' (mod q). 

This method is secured due to the hardness of the Discrete Logarithm 
Problem. 



1.5.2. RSA 

Rivest, Shamir and Adleman Il06l introduced one of the most famous and 
common cryptosystem, which is called RSA. This method is widely used in 
commerce. 

Find two large prime numbers p and q, each about 100 decimal digits 
long. Let n = pq and (j) = (t){ri) — {p— \){q—l) (the Euler number). Choose 
a random integer E between 3 and (f) that has no common factors with cj). 
It is easy to find an integer D that is the "inverse" of E modulo (p, that is, 
D ■ E differs from 1 by a multiple of (j). 

Alice makes E and n public. All the other quantities here are kept 
secret. 

The encryption is done as follows: Bob, who wants to send a plain text 
message P to Alice, that is an integer between and n — 1, computes the 
ciphertext integer C = P^ (mod n). (In other words, raise P to the power 
E, divide the result by n, and C is the remainder). Then, Bob sends C to 
Alice. 

For decrypting the message, Alice uses the secret decryption number D 
for finding the plain text P by computing: P = C^ (mod n). 

This method is currently secure, since in order to determine the secret 
decryption key D (for decrypting the message), the intruder should factor 
the 200 or so digits number n, which is a very hard task. 
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1.6. First cryptosystems which are based on the braid 
groups 

In this section, we describe first cryptosystems wliicti are based on the braid 
groups. We start with the definition of some apparently hard problems 
which the cryptosystems are based on. After that, we describe first two 
key-exchange protocols which are based on the braid group. We finish the 
section with some more cryptosystems based on the braid group. 

1.6.1. Underlying problems for cryptosystems in the braid 
group 

We list here several apparently hard problems in the braid group, which 
are the base of many cryptosystems in the braid group: 

• Conjugacy Decision Problem: Given u, w G Bn, determine whether 
they are conjugate, i.e., there exists v G _B„ such that 

w = v^ uv 

• Conjugacy Search Problem: Given conjugate elements 
u,w & Bn, find v G Bn such that 

w — v^ uv 

• Multiple Simultaneous Conjugacy Search Problem: 

Given m pairs of conjugate elements (ui, wi), . . . , (um, Wm) G Bn which 
are all conjugated by the same element. Find v G Bn such that 

Wi — v^^UiV, Vz G {1, . . . , m} 

• Decomposition Problem: u ^ G < Bn- Find x,y d G such that 
w — xuy. 



1.6.2. Key-exchange protocols based on the braid group 

In this section, we present two key-exchange protocols which are based on 
apparently hard problems in the braid group. After the transmitter and 
receiver agree on a shared secret key, they can use a symmetric cryptosystem 
for transmitting messages in the insecure channel. 
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1.6.2.1. Anshel-Anshel-Goldfeld key-exchange protocol 

The following scheme was proposed theoretically by Anshel, Anshel and 
Goldfeld [5], and implemented in the braid group by Anshel, Anshel, Fisher 
and Goldfeld g]. 

This scheme assumes that the Conjugacy Search Problem is difficult 
enough (so this scheme, as well as the other schemes described below, would 
keep its interest, even if it turned out that braid groups are not relevant, 
since it might be implemented in other groups). 

Let G be a subgroup of i3„ : 

G = (51, •■ -^gm), gi e -B„ 

The secret keys of Alice and Bob are words a £ G and b £ G respectively. 

The key-exchange protocol is as follows: 
Protocol 1.6. 

Public keys: {51, ... , gm} C -B„. 
Private keys: Alice: a; Bob: b. 

Alice: Sends Bob publicly the conjugates: agia~^, . . . ,agm<i~^. 
Bob: Sends Alice pubhcly the conjugates: bgib^^, . . . , bgmb^^ . 

Shared secret key: K = aba^^b~^ 

K is indeed a shared key, since if a = xi- ■ ■ xt where Xi — g ■ for 
some j, then Alice can compute ba^^b^^ — (bx^^b^^) ■ ■ ■ (6xj'^6~^) and 
hence Alice knows K = a{ba^^b^^). Similarly, Bob can compute aba~^, 
and hence he knows K = (aba~'^)b~^ . 

The security is based on the difficulty of a variant to the Conjugacy 
Search Problem in i?„, namely the Multiple Conjugacy Search Problem, in 
which one tries to find a conjugating braid starting not from one single 
pair of conjugate braids {g,aga~^), but from a finite family of such pairs 
(51, o,gia~^), . . . , {gm, 0'gma-~^) obtained using the same conjugating braid. 
It should be noted that the Multiple Conjugacy Search Problem may be 
easier than the original Conjugacy Search Problem. 

In [4], it is suggested to work in Bgo with m = 20 and short initial 
braids gi of length 5 or 10 Artin generators. 

Remark 1.2. We simplified a bit the protocol given by Anshel-Anshel- 
Goldfeld, but the principle remains the same. Moreover, in their protocol. 
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they used not the braids themselves, but their images under the colored 
Burau representation of the braid group defined by Morton [95] (see Section 
ll.8.4.1l below). 

1.6.2.2. Diffie-Hellman-type key-exchange protocol 

Following the commutative idea for achieving a shared secret key of Diffie- 
Hellman, Ko et al. [72] propose a key-exchange protocol based on the braid 
group and some commutative property of some of its elements. Although 
braid groups are not commutative, we can find large subgroups such that 
each element of the first subgroup commutes with each element of the sec- 
ond. Indeed, braids involving disjoint sets of strands commute. Similar 
approach appears also in the Algebraic Eraser Scheme (see [B] and Section 
[TO] here). 

Note that this scheme was proposed independently in fvW in the con- 
text of a general, unspecified noncommutative semigroup with difficult con- 
jugacy problem, but the braid groups were not mentioned there explicitly. 

Denote by LBn (resp. UBn) the subgroup of i3„ generated by 
CTi, . . . , cr„i-i (resp. cr„i+i, . . . , cr„-i) with m = [^J . Then, every braid 
in LBn commutes with every braid in UBn. 

Here is Ko et al. key-exchange protocol: 

Protocol 1.7. 

Public key: one braid p in i?„. 

Private keys: Alice; s G LBn', Bob: r £ UBn- 

Alice: Sends Bob p' — sps~^. 
Bob: Sends Alice p" — rpr^^ 

Shared secret key: K — srpr^^s~^ 

A" is a shared key since Alice can compute K — sp" s^^ and Bob can 
compute K — rp'r—1, and both are equal to K since s and r commute. 

The security is based on the difficulty of the Conjugacy Search Problem 
in Bn, or, more exactly, on the difficulty of the following variant, which can 
be called the Diffie-Hellman-like Conjugacy Problem: 

Problem 1.4. Given a braid p in Bn, and the braids p' — sps^^ and 
p" = rpr~^ , where s £ LBn cmd r G UBn, find the braid rp'r^^, which is 
also sp"s~^. 
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The suggested parameters are n = 80, i.e. to work in BgQ, with braids 
specified using (normal) sequences of length 12, i.e., sequences of 12 per- 
mutation braids (see l23l ). 

1.6.3. Encryption and decryption 

The following scheme is proposed by Ko et al. [72]. We continue with the 
same notation of Ko et al. Assume that /i is a public collision-free one-way 
hash function of i3„ to {0, 1}'^, i.e., a computable function such that the 
probability of having h{b2) — h{bi) for 62 7^ ^1 is negligible (collision- free) , 
and retrieving b from h(b) is infeasible (one-way) (for some examples see 
Dehornoy [29] Section 4.4] and Myasnikov 99'). 

We start with p G i?„ and s G LBn- Alice's public key is the pair {p,p') 
with p' = sps~^, where s is Alice's private key. For sending the message 
TTiB, which we assume lies in {0, l}'^. Bob chooses a random braid r in UBn 
and he sends the encrypted text m'^ — tub © h{rp'r~^) (using © for the 
Boolean operation " exclusive-or" , i.e. the sum in Z/2Z), together with the 
additional datum p" ~ rpr^^ . Now, Alice computes niA = ra" ®h{sp" s~^), 
and we have iua — riiB, which means that Alice retrieves Bob's original 
message. 

Indeed, because the braids r and s commute, we have (as before): 

sp"s^ ~ srpr^ s^ = rsps~ r~ — rp'r~ , 

and, therefore, niA — tub © h{rp'r~^) © h{rp'r~^) — itib- 

The security is based on the difficulty of the Diffie-Hellmann-like Con- 
jugacy Problem in _B„. The recommended parameters are as in Ko et al's 
exchange-key protocol (see Section I1.6.2.2P . 

1.6.4. Authentication schemes 

Three authentication schemes were introduced by Sibert, Dehornoy and 
Girault 117 , which are based on the Conjugacy Search problem and Root 
Extraction Problem. Concerning the cryptanalysis of the Root Extraction 
Problem, see [631 . 

We present here their first scheme. This scheme is related to Difhc- 
Hellman based exchange-key in its idea of verifying that the secret key 
computed at the two ends is the same. 

Note that any encryption scheme can be transformed into an authenti- 
cation scheme, by sending to Alice both an encrypted version and a hashed 
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image of the same message m, then requesting her to reply with the deci- 
phered message m (she will do it only if the hashed image of the deciphered 
message is the same as the one sent by Bob). 

Their first scheme is based on the difficulty of Diffie-Hellman-like Con- 
jugacy Problem. It uses the fact that braids involving disjoint families of 
strands commute. The data consist of a public key, which is a pair of braids, 
and of Alice's private key, also a braid. We assume that n is even, and de- 
note by LBn (resp. UBn) the subgroup of Bn generated by ci, . . . , crii-i, 
i.e., braids where the ^ lower strands only are braided (resp. in the sub- 
group generated by cr^i+i, . . . ,(t„_i). The point is that every element in 
LBn commutes with every element in UBn, and alternative subgroups with 
this property could be used instead. We assume that if is a fixed collision- 
free hash function from braids to sequences of O's and I's or, possibly, to 
braids. 

• Phase 1. Key generation: 

(1) Choose a public braid h in i?„ such that the DifHe-Hellman-like 
Conjugacy Problem for b is hard enough; 

(2) Alice chooses a secret braid s in LBn, her private key; she pub- 
lishes h' = sbs~^; the pair (b, b') is her public key. 

• Phase 2. Authentication phase: 

(1) Bob chooses a braid r in UBn, and sends the challenge x = rbr^^ 
to Alice; 

(2) Alice sends the response y — H{sxs^^) to Bob, and Bob checks 
y = H{rb'r-^). 

For active attacks, the security is ensured by the hash function H: if H 
is one-way, these attacks are ineffective. 

Two more authentication schemes were suggested by Lai and Chaturvedi 
[76] . Their cryptanalysis are discussed in [63l 11221 . 

1.7. Attacks on the conjugacy search problem using Summit 
Sets 

In this section, we explain the algorithms for solving the Conjugacy Decision 
Problem and the Conjugacy Search Problem (CDP/CSP) in braid groups 
which are based on Summit sets. These algorithms are given in 
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I3SJ [531 [23 • We start with the basic idea, and then we continue with its 
implementations . 

We foUow here the excellent presentation of Birman, Gebhardt and 
Gonzalez-Meneses [14 . For more details, see their paper. 

1.7.1. The basic idea 

Given an element x G Bn, the algorithm computes a finite subset I^ of the 
conjugacy class of x which has the following properties: 

(1) For every x £ i?„, the set I^ is finite, non-empty and only depends on 
the conjugacy class of x. It means that two elements x,y € Bn are 
conjugate if and only if I^ — ly 

(2) For each x € Bn, one can compute efficiently a representative x G Ix 
and an element a € Bn such that a~^xa = x. 

(3) There is a finite algorithm which can construct the whole set I^ from 
any representative x £ Ix- 

Now, for solving the CDP/CSP for given x,y (z Bn we have to perform 
the following steps. 

(a) Find representatives x € Ix and y € ly. 

(b) Using the algorithm from property (3) , compute further elements of Ix 
(while keeping track of the conjugating elements), until either: 

(i) y is found as an element of Ix, proving x and y to be conjugate and 
providing a conjugating element, or 

(ii) the entire set Ix has been constructed without encountering y, prov- 
ing that X and y are not conjugate. 

We now survey the different algorithms based on this approach. 

In Garside's original algorithm 51], the set Ix is the Summit Set of x, 
denoted SS(a;), which is the set of conjugates of x having maximal infimum. 

Remark 1.3. All the algorithms presented below for the different types of 
Summit Sets work also for Garside groups (defined by Dehornoy and Paris 
|36I ). which are a generalization of the braid groups. In our survey, for 
simplification, we present them in the language of braid groups. For more 
details on the Garside groups and the generalized algorithms, see 1141 . 
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1.7.2. The Super Summit Sets 

The Summit Set are improved by El-Rifai and Morton |43| . who consider 
Ix = SSS(a;), the Super Summit Set of x, consisting of the conjugates of x 
having minimal canonical length i{x). They also show that SSS(a;) is the 
set of conjugates of x having maximal infimum and minimal supremum, 
at the same time. El-Rifai and Morton "43] show that SSS(a;) is finite. In 
general, SSS(a;) is much smaller than SS(a;). For example, take the element 
X = A^aiai G i?4, SSS(a;) = {A4 • aia^} while 

SS(a;) = {A4 • CTiCTa, A4 ■ tJi ■ cri, A4 ■ 0-3 • 0-3} 

(the factors in each left normal form are separated by a dot) [TH page 8]. 
Starting by a given element x, one can find an element x G SSS(x) by 
a sequence of special conjugations, called cyclings and decyclings: 

Definition 1.8. Let x ~ A^si ■ ■ ■ Xr £ Bn be given in Garside's normal 
form and assume r > 0. 

The cycling of x, denoted by c(x) is: 

c(a;) — A''a;2 • • • XrT~P{xi), 

where r is the involution which maps at to cr„_i, for all 1 < i < n. 
The decycling of x, denoted by d(x) is: 

d(a;) = XrA^XiX2 ■ ■ ■ X^-l = ISFT^(Xr)X\X2 ■ ■ ■ Xr-l- 

If r = 0, we have c(x) — d(x) = x. 

Note that c(a;) = {t~p{xi))~^x{t~p {xi)) and d(x) = x~^xxr- This 
means that for an element of positive canonical length, the cycling of x is 
computed by moving the first permutation braid of x to the end, while the 
decycling of x is computed by moving the last permutation braid of x to 
the front. Moreover, for every x G -B„, inf(x) < inf(c(a;)) and sup(x) > 
sup(d(x)). 

Note that the above decompositions of c(x) and d(x) are not, in general, 
Garside's normal forms. Hence, if one wants to perform iterated cyclings 
or decyclings, one needs to compute the left normal form of the resulting 
element at each iteration. 

Given x, one can use cyclings and decyclings to find an element in 
SSS(cc) in the following way: Suppose that we have an element x £ Bn 
such that inf(a;) is not equal to the maximal infimum in the conjugacy 
class of X. Then, we can increase the infimum by repeated cycling (due to 
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[mils]): there exists a positive integer fci such that inf(c'^i (cc)) > inf(a;). 
Therefore, by repeated cycHng, we can conjugate x to another element x of 
maximal infimum. Once x is obtained, if the supremum is not minimal in 
the conjugacy class, we can decrease its supremum by repeated decycling. 
Again, due to [HI [43], there exists an integer fc2 such that sup(d'^2(a;)) < 
sup(a;). Hence, using repeated cycling and decycling a finite number of 
times, one obtains an element in SSS(a;). 

If we denote by m the length of A in Artin generators and r is the 
canonical length of x, then we have (see [T8[l43l): 

Prop 1.2. A sequence of at most rm cyclings and decyclings applied to x 
produces a representative x G SSS(a;). 

Now, we have to explore all the set 888(2:). We have the following result 
(see [43]): 

Prop 1.3. Let a; € B„ and y C SSS(a;) be non-empty liV y^ SSS(a;), then 
there exist y G V and a permutation braid s such that s^^ys G SSS(x) \ V. 

8ince 888(2:) is a finite set, the above proposition allows us to compute 
the whole 888(2;). More precisely, if one knows a subset V C 888(2:) (we 
start with: V — {x}), one conjugates each element in V by all permutation 
braids (n! elements). If one encounters a new element z with the same 
canonical length as 2: (which is a new element in 888(2;)), then add z to V 
and start again. If no new element is found, this means that V = 888(2;), 
and we are done. 

One important remark is that this algorithm not only computes the set 
S88(a;), but it also provides conjugating elements joining the elements in 
S88(x). 

Now the checking if x and y are conjugate, is done as follows: Compute 
representatives x € 888(2:) and y G 888 (y). If inf(2:) 7^ inf(y) or sup(2;) 7^ 
sup(y), then x and y are not conjugate. Otherwise, start computing 888(2;) 
as described above. The elements x and y are conjugate if and only if y £ 
S88(x). Note that if x and y are conjugate, an element conjugating x to y 
can be found by keeping track of the conjugations during the computations 
of X, y and 888(x). Hence, it solves the Conjugacy Decision Problem and 
the Conjugacy 8earch Problem simultaneously. 

From the algorithm, we see that the computational cost of computing 
S88(x) depends mainly in two ingredients: the size of 888(2:) and the num- 
ber of permutation braids. In _B„, all known upper bounds for the size of 
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SSS(x) are exponential in n, although it is conjectured that for fixed n, a 
polynomial bound in the canonical length of x exists 44]. 

Franco and Gonzalez-Meneses [46] reduce the size of the set we have to 
conjugate with, by the following observation: 

Prop 1.4. Let x G Bn and y G SSS(a::). For every positive braid u 
there is a unique ^-minimal element Cy{u) satisfying u :< Cy(u) and 
{cy{u))''^y{cy{u)) e SSS(x). 

Definition 1.9. Given x G i?„ and y G SSS(a;), we say that a permutation 
braid s 7^ 1 is minimal for y with respect to SSS(x) if s^^ys G SSS(a;), and 
no proper prefix of s satisfies this property. 

It is easy to see that the number of minimal permutation braids for y 
is bounded by the number of Artin's generators. 
Now, we have: 

Prop 1.5. Let a; G B„ and ^ C SSS(x) be non-empty. If F 7^ SSS(x), 
then there exist y G V and a generator ai such that Cy{ai) is a minimal 
permutation braid for y, and {cy(<Ji))~^y(cy(ai)) G SSS(X) \ V . 

Using these proposition, the SSS(x) can be computed as in ['43: . but 
instead of conjugating each element y G SSS(a;) by all permutation braids 
(n! elements), it suffices to conjugate y by the minimal permutation braids 
Cy{cTi) (l<i<n— l,n— 1 elements). 

Figure [T. 151 (taken from [29]) summarizes the solution of the conjugacy 
problem using the Super Summit Set for an element b. 

Note that the algorithm computes a directed graph whose vertices are 
the elements in SSS(a;), and whose arrows are defined as follows: for any 
two elements y, z G SSS(a;), there is an arrow labeled by the minimal per- 
mutation braid pi starting at y and ending at z if p~ ypi = z. 

An example for such a graph can be seen in Figure 11.161 for the set 
SSS((Ti) in B4 (taken from fl4, pp. lO-ll]). Note that there are exactly 3 
arrows starting at every vertex (the number of Artin generators of B^). In 
general, the number of arrows starting at a given vertex can be smaller or 
equal, but never larger than the number of generators. 

Hence, the size of the set of permutation braids is no longer a problem for 
the complexity of the algorithm (since we can use the minimal permutation 
braids instead), but there is still a big problem to handle: The size of SSS(a::) 
is, in general, very big. The next improvement tries to deal with this. 
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Fig. 1.15. Solving the conjugacy problem: going to the SSS and then exploring it (the 
points represent the conjugates of b) 




Fig. 1.16. The graph of SSS{o-i) in B4 



1.7.3. The Ultra Summit Sets 

Gebhardt [53 defines a small subset of SSS (a;) satisfying all the good prop- 
erties described above, so that a similar algorithm can be used to compute 
it. The definition of this new subset appears after observing that the cy- 
cling function maps SSS (a;) to itself. As SSS(a;) is finite, iterated cycling of 
any representative of SSS(x) must eventually become periodic. Hence it is 
natural to define the following: 

Definition 1.10. Given x € i3„, the Ultra Summit Setoix, USS(a;), is the 
set of elements y S SSS(a;) such that c™(y) = y for some m > 0. 

Hence, the Ultra Summit Set USS(a::) consists of a finite set of disjoint 
orbits, closed under cycling (see some schematic example in Figure [1.1 7p . 
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Fig. 1.17. Action of cycling inside the Super Summit Set; the elements of the Ultra 
Summit Set are in black and perform some orbits under cycling (taken from 1291 Figure 
4]) 

Example 1.3. [TU One has 

USS(cti) = SSS(cri) = SS(cri) = {(Ti, . . . , o-„-i}, 

and each element corresponds to an orbit under cycling, since c(cri) = ai 
for i = l,...,n — 1. 

A more interesting example is given by the element 

X = cricr3CT20-i • criO-2 ■ (^2(^1(^3 £ ^4- 

In this example, USS(x) has 6 elements, while SSS(x) has 22 elements. 
More precisely, USS(x) consists of 2 closed orbits under cychng: USS(x) = 
Oi U O2, each one containing 3 elements: 

criCT3Cr20'l • 0'lO-2 • (J2(Jia^, 

Oi = \ aia2 ■ cr2Cri(73 • (Ticr3Cr2(7i, 

O'20'l0'3 • CriO-30'20'1 • 0'lO'2 

cr3CriCT2Cr3 • 0'30'2 ' Cr20'30'l, 

O2 = { Cr3Cr2 • <J20'3Cri ■ as (Ti (72 <73 , 

0'2Cr3CTi • CT3tTiCr2Cr3 • (T3(T2 

Notice that O2 = t(Oi). 

Note also that the cycling of every element in USS(a;) gives another 
element which is already in left normal form, hence iterated cyclings cor- 
responds to cyclic permutations of the factors in the left normal form. 
Elements which satisfies this property are called rigid (see [14 ) . 

Remark 1.4. The size of the Ultra Summit Set of a generic braid of canon- 
ical length £ is cither i or 2£ [5i£. This means that, in the generic case. 
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Ultra Summit Sets consist of one or two orbits (depending on whether 
r(Oi) = Oi or not), containing rigid braids. But, there are exceptions: for 
example, the following braid in B12: 

E — (cr2CriCr70'60'50'40'3Cr80'70'llO-io) • {f^l<J2C'3U2<Ji<TA(^3aw) ■ 
■(criCT3Cr4crio) • (criCTio) • (criCTioO'gO'sO'yO'll) ' (o'lO-2cr70'll) 

has an Ultra Summit Set of size 264, instead of the expected size 12 (see 
fT51 Example 5.1]). 

In the case of braid groups, the size and structure of the Ultra Summit 
Sets happen to depend very much on the geometrical properties of the 
braid, more precisely, on its Nielsen-Thurston type: periodic, reducible or 
Pseudo-Anosov (see [MlfTSl). 

The algorithm given in [53] to solve the CDP/CSP in braid groups 
(using Ultra Summit Sets) is analogous to the previous ones, but this time 
one needs to compute USS(x) instead of SSS(a;). In order to do this, we 
first have to obtain an element x e USS(a;). We do this as follows: take 
an element x G SSS(x). Now, start cycling it. Due to the facts that 
cycling an element in SSS(a:) will result in another element in SSS(a;) and 
that the Super Summit Set of x is finite, we will have two integers mi , m2 
(toi < 7712), which satisfy: 

c™i(i)=c™^(i) 

When having this, the element x = c'"i(a;) is in USS(a;), since: 

c™^-™i(x) = £. 

After finding a representative x £ USS(x), we have to explore all the 
set USS(a;). This we do using the following results of Gebhardt [53] (which 
are similar to the case of the Super Summit Set) : 

Prop 1.6. Let x G i?„ and y £ USS(x). For every positive braid 
u there is a unique ^-minimal element Cy{u) satisfying u < Cy{u) and 
icyiu))-^y{cyiu))GmSix). 

Definition 1.11. Given x £ Bn and y £ USS(x), we say that a per- 
mutation braid s ^ 1 is a minimal for y with respect to USS(x) if 
s^^ys £ USS(x), and no proper prefix of s satisfies this property. 

It is easy to see that the number of minimal permutation braids for y 
is bounded by the number of Artin's generators. 
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Now, we have: 

Prop 1.7. Let a; G 5„ and ^ C USS(a;) be non-empty, li V ^ USS(a;), 
then there exist y d V and a generator cr^ such that Cy{ai) is a minimal 
permutation braid for y, and icy{(Ti))~^y(cy{ai)) S USS(X) \ V. 

In l53l . it is shown how to compute the minimal permutation braids 
(they are called there minimal simple elements in the Garside group's lan- 
guage) corresponding to a given y G USS(a;) (a further discussion on the 
minimal simple elements with some examples can be found in Il5l). Hence, 
one can compute the whole USS(a;) starting by a single element x G USS(x), 
and then we are done. 

For a better characterization of the minimal permutation braids, let us 
introduce some notions related to a braid given in a left normal form (see 

Definition 1.12. Given x G -B„ whose left normal form is 
X — A^xi-'-Xr {r > 0), we define the initial factor of x as 
l{x) = T~P{xi), and the final factor of x as ip{x) = Xr- If r = we 
define l{Ap) = 1 and ^(A^) = A. 

Definition 1.13. Let u,v be permutation braids such that uv — A. The 
right complement of u, d{u), is defined by d{u) — u^^A = v. 

Note that a cycling of a; is actually a conjugation of a; by the initial factor 
i.{x): c{x) = i{x)~^XL{x), and a decycling of x is actually a conjugation of 
X by the inverse of final factor (p(x)~^: d{x) = (p(x)xip{x)~^ . 

The notions of Definition 11.121 are closely related (see il4) ) : 
Lemma 1.1. For every x G i?„, one has l{x~^) ~ d{ip{x)) and ip{x~^) = 

d-Hi{x)). 

The following proposition from llSl characterizes the minimal permuta- 
tion braids for x as prefixes of x or of a;""'^: 

Prop 1.8. Let x G USS(a;) with i{x) > and let Cx{(Ti) be a minimal 
permutation braid for x. Then Cx{o'i) is a prefix of either i(a:) or i{x~^), or 
both. 

As in the case of the Super Summit Set, the algorithm of Gebhardt 
1531 not only computes USS(x), but also a graph T^, which determines the 
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conjugating elements. This graph is defined as follows. 

Definition 1.14. Given x G B„, the directed graph Tx is defined by the 
following data: 

(1) The set of vertices is USS(a;). 

(2) For every y £ USS(x) and every minimal permutation braid s for y 
with respect to USS(a;), there is an arrow labeled by s going from y to 
s~^ys. 

Example 1.4. Let us give some example for the graph Tx- We follow [TCI 
Example 2.10]. 

Let X = o'iO'2(T3cr2 • o'2(Ti(T3 • (Ti(T3 G B^. This braid A is Pseudo-Anosov 
and rigid. A computation shows that USS(a;) has exactly two cycling orbits, 
with 3 elements each, namely: 

a;i,l = CT1CT20-30-2 • 0'20-lCT3 • CriCr3, 

xi = \ a;i^2 = 0'20'i0'3 • 0-10-3 • o-ia20-3O-2, 

2^1,3 — 0-1CT3 • 0-10-20-30-2 • O-2CT1O-3 



0-10-3CT20-1 • 0-2O-10-3 • 0-1CT3, 

X2 = ^ 3^2,2 = O-2O-1CT3 • 0-1 0-3 • O-1O-3O-2O-1, 

0-10-3 • 0-1CT30-20-1 • O-20-1CT3 

The graph F^^ of USS(a;) is illustrated in Figure [1.181 The solid ar- 
rows are conjugations by minimal permutation braids which are prefixes 
of the initial factors, while the dashed arrows are conjugations by minimal 
permutation braids which are prefixes of the final factors. Note that the 
definitions imply that the cycles xi and X2 of USS(a;) are connected by 
solid arrows. 

Concerning the complexity of this algorithm for solving the Conjugacy 
Search Problem, the number m2 of times one needs to apply cycling for 
finding an element in USS(a;) is not known in general. Nevertheless, in 
practice, the algorithm based on the Ultra Summit Set is substantially bet- 
ter for braid groups (see [14[ ). For more information on the Ultra Summit 
Set and its structure, see [TSl . 

Remark 1.5. One might think that for a given element x G i?„, it is 
possible that its Ultra Summit Set with respect to the Garside normal 
form will be different from its Ultra Summit Set with respect to the right 
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Fig. 1.18. The graph of USS(o-ia-2(T3cr20-20-io"3(Ti(T3) C B4 



normal form (see Section [1.3. 1|) . If this happens, it is possible that even 
though one of the Ultra Summit Sets is large, the other will be small. 

Gcbhardt and Gonzalez-Meneses [53] show that at least for rigid braids, 
the size of the above two Ultra Summit Sets is equal, and their associated 
graphs are isomorphic (a braid w is called rigid, if the cycling of w, c(w), 
is already given in Garside normal form, with no need for changing the 
permutation braids; see also [131 Section 3] and Example 11.31 here) . They 
conjecture that this is the situation for any braid. 



1.7.4. Some variants of the Ultra Summit Sets 

In this section, we sketch some variants of the Super Summit Sets and the 
Ultra Summit Sets suggested by several authors. 



1.7.4.1. Reduced Super Summit Sets 

Lee, in his thesis EH (2000), suggests a variant of the Super Summit Set, 
which is actually a subset of the Ultra Summit Set which was defined later 
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(2005) by Gebhardt: 

Definition 1.15. The Reduced Super Summit Set of x, denote by RSSS(a;), 
is: 

RSSS(2:) = {ye C{x)\c"\y) = y and d"(y) = y for some m, n > 1}. 

where C{x) is the conjugacy class of x 

Lee's motivation to look on RSSS(a;) comes from the facts that it is still 
easy to find algorithmically an element in RSSS(a:) for a given x, this set 
is invariant under cyclings and decyclings, and this set is usually smaller 
than SSS(x). 

Indeed, it is easy to see (by [33] and [SHI) that: 

RSSS(2;) C USS(a:) C SSS(a;) 

Lee indicates that there is no known algorithm to generate RSSS(a;) 
without generating SSS(a:) before. Despite this, he has succeeded to com- 
pute RSSS(a:) in polynomial time for the case of rigid braids in B4. 

1.7.4.2. A general cycling operation and its induced set 

Zheng Il26l suggests to generalize the idea of cyclings. He defines: 

Definition 1.16. The cycling operation of order q on x is the conjugation 
Cq{x) = s~^xs, where s is the maximal common prefix of x and A'', (this 
will be denoted in the next section as: s = x A A'). 
The corresponding set is: 

Gq = {x e Bn I c^(a;) = x for some N > 0}. 

The new cycling operations are indeed natural generalizations of the 
cycling and decycling operation: 

C{x) = r"'"f(^) (Ci„f(a;) + l(2:)) , d{x) = Csnp{x)-l{x). 

Recall that C{x) is the conjugacy class of x. For getting the Super 
Summit Sets and the Ultra Summit Sets in the language of Gq, we define: 

infs(a;) = max{inf(y) | y G G{x)}, sups(a;) = min{sup(y) | y € G{x)}. 

Hence, we get that: 

SSS(a;) = G{x) n | p| Gq 

\qE{inis{x),sup^{x)} 
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uss(x) = c{x) n Pi Gq 

\ gG{infs (a:),infs (2;) + l,sup3 (^)} 

Zheng Il26l defines a new summit set: 



C*(x)=C(x)n f|Gj =C(a;)n f| G, 

\geZ / \infs(2;)<g<sup^(a;) 

It is straight-forward that: 

C*{x) C USS(x) C SSS(a;). 

Given an element x, computing an element x G C*{x) is done by apply- 
ing iterated general cyclings c^ until getting repetitions, for inf(x) < q < 
sup (a;). A more complicated algorithm is presented for finding the whole 
C*{x) (see Il26l Algorithm 3.8]). Having these ingredients for C*{x), we 
can solve the Conjugacy Search Problem based on C*{x). 

Zheng Il261 Section 6] presents some computational results, and he em- 
phasizes that the new set C*{x) is important especially for the case of 
reducible braids, where there are cases that USS(a;) = SSS(x). 

1.7.4.3. Stable Super Summit Sets and Stable Ultra Summit Sets 

The stable Super Summit Sets and stable Ultra Summit Sets were defined 
simultaneously by Birman, Gebhardt and Gonzalez-Meneses [M] and Lee 
and Lee [78 : 

Definition 1.17. Given x G Bn, The stable Super Summit Set of x is 
defined as: 

SSSS(x) = {y e USS(a;) | y" G USS(a;"'),VTO e Z}. 

The stable Ultra Summit Set of x is defined as: 

SU(a;) = {ye USS(a;) | y" G USS(x"),Vto G Z}. 

Birman, Gebhardt and Gonzalez-Meneses [H, Proposition 2.23] and Lee 
and Lee [751 Theorem 6.1(i)] have proved that for every x G Bn the stable 
sets SSSS(a;) and SU(a;) are non-empty. 

We give here an example from flS:, which shows that: (i) the stable 
Super Summit Set is different from both the Super Summit Set and the 
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Ultra Summit Set; (ii) one cannot obtain an element of the stable Super 
Summit Set by applying only cyclings and decyclings. 

Example 1.5. [751 page H] Consider the positive 4-braid monoid B^ . Let 

Note that g^'s are permutation braids and conjugate to each other. 
It is easy to see that 

SSS(5i) = USS(5i) = {51,52,53,54}- 

Now, we show that the stable Super Summit Set of gi is different from the 
Super/Ultra Summit Set of gi. The normal forms oi gf are as follows: 

gl = {ai(J2(J3cricr2)a3; gj = {cr3a2(Ji(T3(^2)cri; gl = A; gl = A. 

Therefore, vai^gl) = inf(g|) — and inf((7|) = inf((7|) = 1. Hence, 

SSSS(5i) = {53,54}- 

Note that c^{gi) = d'^(5i) = 5i for i — 1, . . . , 4 and all fc > 1. In particular, 
we cannot obtain an element of the stable Super Summit Set by applying 
only cyclings and decyclings to gi or 52- 

A finite-time algorithm for computing the stable Super Summit Sets 
(i.e. when given x € Bn, first compute an element x G SSSS(x) and then 
compute the whole set SSSS(x)) is given by Lee and Lee in ISQl Section 6]. 

Birman, Gebhardt and Gonzalez-Meneses [111 page 27] remark that 
their proof for the non-emptiness of the stable Ultra Summit Set (Proposi- 
tion 2.23 there) actually yields an algorithm for computing this set. 

Zheng Il26l . as a continuation of his idea of general cyclings, suggests 
to generalize also the stable sets. He defines: 

Definition 1.18. Cp^q{x) = s^'^xs, where s is the maximal common prefix 
of xP and A9 (i.e., s = xP A A«). 
The corresponding set is: 

Gp^q — {x £ Bn I Cpq{x) = X for somc A^ > 0}. 

Note that Cq{xP) = {cp^q{x))P, so applying a Cq operation on xP is 
equivalent to applying a Cp^q operation on x. In particular, xP £ Gg if and 
only if X G Gp^q . 
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Similarly, one can define: 

c[™,«],*(^) = c{x) n j fl Gp^, 

Zheng claims, that with a suitable modification, the algorithms for com- 
puting C*{x) can be used to compute the set C['"'"l'*(a;). 
An even more generalized set is: 



C*'*(x)=C(x)n fl G^A , 




but currently there is no algorithm for computing it, because he does not 
know how to bound the order p. Nevertheless, Zheng 11261 Theorem 7.3] 
have proved that the set C*'*{x) is nonempty. 

The set C*'*(x) is indeed a generalization of the stable sets, since: 

SSSS(a;) = C{x) n p| 

\p>l,qe{iiifa(2;P),sup^(2;P)} 



su(x) = c{x) n fl Gp^, 

\p>l,gG{infs(a;P),infs(a;P) + l,sup3(a;P)} 

By the non-emptiness result of Zheng, we have an alternative proof that 
the stable sets are nonempty. 

1.7.5. Cyclic sliding 

The last step up-to-date for seeking a polynomial-time solution to the conju- 
gacy search problem has been done by Gebhardt and Gonzalez-Meneses [55l 
[56]. 

Their idea is introducing a new operation, called cyclic sliding, and 
they suggest to replace the usual cycling and decycling operations by this 
new one, as it is more natural from both the theoretical and computational 
points of view. Then, the Ultra Summit Set USS(a;) of x, will be replaced by 
its analogue for cyclic sliding: the set of sliding circuits, SC(a:). The sets of 
sliding circuits and their elements naturally satisfy all the good properties 
that were already shown for Ultra Summit Sets, and sometimes even better 
properties: For example, for elements of canonical length 1, cycling and 
decycling are trivial operations, but cyclic sliding is not. 
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One more advantage of considering the set SC(x) is that it yields a 
simpler algorithm to solve the Conjugacy Decision Problem and the Con- 
jugacy Search Problem in the braid group. The worst case complexity of 
the algorithm is not better than the previously known ones l53l . but it is 
conceptually simpler and easier to implement. The details of the imple- 
mentation and the study of complexity are presented in l56l . 

For any two braids u,v, let us denote u A w to be the largest common 
prefix of u and v (the notation comes from the corresponding operation 
on the lattice generated by the partial order ^ on the elements of i?„, see 
Section [TXT]). 

The following is an interesting observation: 

Observation 1.19. Given two permutation braids u and v, the decompo- 
sition u ■ V is left-weighted if d{u) A w = e or, equivalently, if uw A A = u. 
The condition d{u) A v = e actually means that if we move any crossing 
from V to u, then u will not be anymore a permutation braid. 

By this observation, it is easy to give a procedure to find the left- 
weighted factorization of the product of two permutation braids u and v 
as follows. If the decomposition uv is not left-weighted, this means that 
there is a nontrivial prefix s ^ v such that us is still a permutation braid 
(i.e. s :< d{u)). The maximal element which satisfies this property is 
s — d(u) A V. Therefore, for transforming the decomposition uv into a 
left-weighted one, we have to slide the prefix s — d{u) A v from the second 
factor to the first one. That is, write v — st and then consider the decom- 
position uv = (us)t, with us as the first factor and t as the second one. The 
decomposition us • i is left- weighted by the maximality of s. This action 
will be called local sliding (see Figure [T.19p . 

Motivated by the idea of local sliding, one wants now to do a cycling 
in the same manner. Given a braid in a left normal form x — A^xi ■ ■ ■ Xr, 
we want now to slide a part of xi to Xr- This will be done by conjugating 
a prefix of T^^(a;i). The appropriate prefix is: d{xr) A t~'p{xi)^ which is 
equal to: t(x~^) Ai(x). Hence, Gebhardt and Gonzalez-Meneses [55, define: 

Definition 1.20. Given x G -B,i, define the cyclic sliding 5{x) of x as the 
conjugate of x by p(x) — t{x^^) A b{x), that is: 

5{x) ~ p{xy^xp{x). 

By a series of results, Gebhardt and Gonzalez-Meneses [SSJ Section 3, 
Results 3.4-3.10] show that the cyclic sliding is indeed a generalization 
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Fig. 1.19. An illustration of a local sliding 



of cycling and decycling, and the fact that for every x G i?„, iterated 
application of cyclic sliding eventually reaches a period, that is, there are 
integers TV > and M > such that 5^^+^{x) ^ s^{x). 
Now, one can define the set of sliding circuits of x: 

Definition 1.21. An element y G -B„ belongs to a sliding circuit if s™(y) = 
y for some m> I. 

Given x G i?„, the set of sliding circuits of x, denoted by SC(a;), is the 
set of all conjugates of x which belong to a sliding circuit. 

Note that SC(x) does not depend on x but only on its conjugacy class. 
Hence, two elements x,y G Bn are conjugate if and only if SC(a;) = SC(y). 
Therefore, the computation of SC(a;) and of one element of SC(y) will solve 
the Conjugacy Decision Problem in i?„. 

The set SC(x) is usually much smaller than USS(a;). For example, for 

Bi2 3 X — cr7Cr8O'7O'6O'5O'4O'9Cr8O'7O'6O'5O'4O'3Cr2O'i0O'9Cr8O'7O'6O'5O'4CT3 • 
■cr2O'lO'iiCri0O'9Cr8O'7O'6Cr5CT4CT3Cr2O'i 

we have that |SC(a;)| = 6, but |SSS(x)| = |USS(a;)| = 126498 (see Ei 
Section 5], based on an example from (57]). On the other hand, the size of 
the set SC(a:;) still might be exponential in the length of x (for example, if 
S = an-i • • • CTi G B„, one has |SC(^)| = 2"-^ _ 2 [53 Proposition 5.1]). 

Gebhardt and Gonzalez-Meneses have proved [55l Proposition 3.13] 
that: 

SC(x) = RSSS(x) 

for X satisfying i's (a;) > 1 {where £s{x) — supg(a;)— infs(a;), i.e. the canonical 
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length of elements in the Super Summit Set of x) , and 

SC(x) C RSSS(x) 

for X satisfying £s{x) — 1, and in general SC(x) is a proper subset of RSSS(a;) 
in this case. 

They remark that the case is{x) = 1 in which the sets differ is not 
irrelevant, since, for example, a periodic braid x which is not conjugate to 
a power of A has isix) = 1, but the conjugacy problem for such braids is 
far from being easy 1161 . 

As in the previous Summit Sets, the algorithm to solve the CDP/CSP 
in braid groups (using sliding circuits) starts by obtaining an element x S 
SC(a;). We do this as follows: take an element x. Now, apply iterated cyclic 
sliding on it. Due to the periodic property of the sliding operation, we will 
have two integers mi,m2 (mi < 7712), which satisfy: 

s"''ix)^s"''{x). 

When having this, the element x = s™^ (x) is in SC(a::), since: 

After finding a representative x G SC(a;), we have to explore all the set 
SC(a;). This we do in a similar way to the Ultra Summit Set case: There 
are ^-minimal elements which conjugate an element in SC(x) to another 
element there. The number of such possible minimal conjugators for a given 
element in SC(x) is bounded by the number of Artin generators). Hence, 
one can compute the whole SC(a;) starting by a single element x S SC(a;), 
and then we are done (for more information, see [55j Section 4.l] and [56] ) 

Again, as in the previous Summit Sets, the algorithm of Gebhardt and 
Gonzalez-Meneses [SS] not only computes SC(a;), but also a graph SCG(a;), 
which determines the conjugating elements. This graph is defined as fol- 
lows. 

Definition 1.22. Given x € i3„, the directed graph SCG(a:) is defined by 
the following data: 

(1) The set of vertices is SC(a:). 

(2) For every y S SC(x) and every minimal permutation braid s for y with 
respect to SC(x), there is an arrow labeled by s going from y to s^^ys. 

More information about these sorts of Summit sets can be found in the 
series of papers O [15l [16] and EZl [ZS [80] . 
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1.7.6. An updated summary of the theoretical solution for 
the conjugacy search problem 

In this section, we give an updated summary for the current status of the 
complexity of the theoretical solution for the Conjugacy Search Problem. 
We follow here the nice presentation of Gonzalez-Meneses in his talk at 
Singapore (2007) EU. 

As already mentioned, according to Nielsen-Thurston geometric classi- 
fication (based on Il02l and [120. ). there are three types of braids: periodic 
braids, reducible braids and pseudo-Anosov braids. 

A braid a is called periodic if there exist integers k, m such that a'' = 
A^™. A braid a is called reducible if it preserves a family of curves, called 
a reduction system. A braid is called pseudo-Anosov if it is neither periodic 
nor reducible. 

For the case of periodic braids, Birman, Gebhardt and Gonzalez- 
Meneses Il6l present a polynomial-time algorithm for solving the conjugacy 
search problem. Almost at the same time, Lee and Lee [79] suggest another 
entirely different solution for this case. 

For the case of reducible braids, there is a result of Gebhardt and 
Gonzalez-Meneses [59] that these braids fall into exactly two cases: 

(1) The braid a is conjugate to a braid with a standard reducing curve, 
which means that the reducing curves are round circles, and hence the 
Conjugacy Search Problem can be decomposed into smaller problems 
(inside the tubes). 

There is only one problem here: the conjugate braid (with a standard 
reducing curve) is in USS(q;), and for reaching it, one has to make an 
unknown number of cycling/decycling (or sliding) steps. 

(2) The braid a is rigid (i.e. a cycling of the Garside normal form of a is 
left-weighted as written, or alternatively, it is a fixed point with respect 
to cyclic slidings). 

For the case of pseudo-Anosov braids: Due to a result of Birman, 
Gebhardt and Gonzalez-Meneses [14, Corollary 3.24], there exists a small 
power of a pseudo-Anosov braid which is conjugate to a rigid braid. Another 
result [55] claims that in the case of pseudo-Anosov braids, the conjugating 
elements of the pair {x, y) and the pair (x™, y™) coincide, and hence instead 
of solving the Conjugacy Search Problem in the pair {x,y), one can solve 
it in the pair (a;™,?/™). Therefore, one can restrict himself to the case of 
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rigid braids. 



If we summarize all cases, we get that the main challenges in this direc- 
tion are: 

(1) Solve the Conjugacy Search Problem for rigid braids in polynomial 
time. 

(2) Given a braid x, find a polynomial bound for the number of cy- 
cling/decycling steps one has to perform for reaching an element in 
USS(a;). 

1.8. More attacks on the conjugacy search problem 

There are some more ways to attack the Conjugacy Search Problem, apart 
of solving it completely. In this section, we present some techniques to 
attack the Conjugacy Search Problem without actually solving it theoreti- 
cally. 

1.8.1. A heuristic algorithm using the Super Summit Sets 

Hofheinz and Steinwandt [65^ use a heuristic algorithm for attacking the 
Conjugacy Search Problem which is the basis of the cryptosystems of 
Anshel-Anshel-Goldfeld [A and Ko et al. [72]. 

Their algorithm is based on the idea that it is probable that if we start 
with two elements in the same conjugacy class, their representatives in the 
Super Summit Set will not be too far away, i.e. one representative is a 
conjugation of the other by a permutation braid. 

So, given a pair (cc, x') of braids, where x' = s^^xs, we do the following 
steps: 

(1) By a variant of cycling (adding a multiplication by A to the first per- 
mutation braid, based on 82, Proposition l]) and decycling, we find 
X e SSS(a;) and i' e SSS(a;')- 

(2) Try to find a permutation braid P, such that x' = P^^xP. 

In case we find such a permutation braid P, since we can follow after the 
conjugators in the cycling/decycling process, at the end of the algorithm 
we will have at hand the needed conjugator for breaking the cryptosystem. 
Note that we do not really need to find exactly s, since each s which satisfies 
x' — s~^xs will do the job as well and reveal the shared secret key. 
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Their experiments show that they succeed to reveal the shared secret 
key in almost 100% of the cases in the Anshel-Anshel-Goldfeld protocol 
(where the cryptosystem is based on the Multiple Simultaneous Conjugacy 
Problem) and in about 80% of the cases in the Difhe-Hellman-type protocol. 

Note that their attack is special to cryptosystems which are based on 
the conjugacy problem, since it depends very much on the fact that x and 
x' are conjugate. 



1.8.2. Reduction of the Conjugacy Search Problem 



Maffre [87l[88] presents a deterministic, polynomial algorithm that reduces 
the Conjugacy Search Problem in braid group. 

The algorithm is based on the decomposition of braids into products of 
canonical factors and gives a partial factorization of the secret: a divisor 
and a multiple. The tests which were performed on different keys of existing 
protocols showed that many protocols in their current form arc broken and 
that the efficiency of the attack depends on the random generator used to 
create the key. 



1.8.3. Length-based attacks 

A different probabilistic attack on the braid group cryptosystems is the 
length-based attack. In this section, we will sketch its basic idea, and differ- 
ent variants of this attack on the braid group cryptosystems. We finish this 
section with a short discussion about the applicability of the length-based 
attack to other groups. 



1.8.3.1. The basic idea 

The basic idea was introduced by Hughes and Tannenbaum l67l . 

Let ^ be a length function on the braid group i3„. In the Conjugacy 
Search Problem, we have an instance of {p,p') where p' = s~^ps, and we 
look for s. The idea of a probabilistic length-based attack to this problem 
is: if we can write s = s'ai for a given i, then the length £{aiS~^ps(T~ ) 
should be strictly smaller than the length £{ajS^^ps(T~^) for j ^ i. 

Thus, for using such an attack, one should choose a good length function 
on Bn and run it iteratively till we get the correct conjugator. 
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1.8.3.2. Choosing a length function 

In [35], we suggest some length functions for this purposes. The first option 
is the Garside lengthy which is the length of the Garside normal form by 
means of Artin generators (i.e. if u; = A^^PiP2 ■ ■ ■ Pk, then ioariw) = r| A| + 

\Pl\ + \P2\+--- + \Pk\)- 

A better length function is the Reduced Garside length (which is called 
Mixed Garside length in |44| ) . The motivation for this length function is 
that a part of the negative powers of A„ can be canceled with the positive 
permutation braids. Hence, it is defined as follows: if w = A^^PiP2 ■ ■ ■ Pk, 
then: 

min{r,fc} 
%cdGar(w)=^Gar(u')-2 ^ |P,|. 

2=1 

This length function is much more well-behaved, and hence it gives better 
performances. But even this length function did not give a break of the 
cryptosystems (by the basic length-based attack). 

In [64], Hock and Tsaban checked the corresponding length functions 
for the Birman-Ko-Lee presentation, and they found out that the reduced 
length function with respect to the Birman-Ko-Lee presentation behaves 
even better than the reduced Garside length function. 

1.8.3.3. The memory approach 

The main contribution of [48l is new improvements to the length-based 
attack. 

First, it introduces a new approach which uses memory: In the basic 
length-based attack, we hold each time only the best conjugator so far. 
The problem with this is that sometimes a prefix of the correct conjugator 
is not the best conjugator at some iteration and hence it is thrown out. 
In such a situation, we just miss the correct conjugator in the way, and 
hence the length-based algorithm fails. Moreover, even if we use a 'look 
ahead' approach, which means that instead of adding one generator in each 
iteration we add several generators in each iteration, we still get total failure 
for the suggested parameters, and some success for small parameters [351 . 

In the memory approach, we hold each time a given number (which is 
the size of the memory) of possible conjugators which are the best among 
all the other conjugators of this length. In the next step, we add one more 
generator to all the conjugators in the memory, and we choose again only 
the best ones among all the possibilities. In this approach, in a successful 
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search, we will often have the correct conjugator in the first place of the 
memory. 

The results of [48. show that the length-based attack with memory is 
applicable to the cryptosystems of Anshel-Anshel-Goldfeld and Ko et al, 
and hence their cryptosystems are not secure. Moreover, the experiments 
show that if we increase the size of the memory, the success rate of the 
length-based attack with memory becomes higher. 

1.8.3.4. A different variant of Length-based attack by Myasnikov 
and Ushakov 

Recently, Myasnikov and Ushakov flOO] suggested a different variant of the 
length-based approach. 

They start by mentioning the fact that the geodesic length, i.e. the 
length of the shortest path in the corresponding Cayley graph, seems to 
be the best candidate for a length function in the braid group, but there 
is no known efficient algorithm for computing it. Moreover, it was shown 
by Paterson and Razborov [RMJ that the set of geodesic braids in i3„ is 
co-NP complete. On the other hand, many other length functions are bad 
for the length-based attacks (like the canonical length, which is the number 
of permutation braids in the Garside normal form) . 

As a length function, they choose some approximation function for the 
geodesic length: they use Dehornoy's handles reduction and conjugations 
by A (this length function appears in [Ml [93). This length function satisfies 
|a~^6a| > |6| for almost all a and b. 

Next, they identify a type of braid word, which they call peaks, which 
causes problems to the Length-based attacks: 

Definition 1.23. Let G be a group, and let Iq be a length function on G, 
and H — {wi, . . . , Wk)- A word w — Wi-^ ■ ■ ■ Wi^ is called an n-peak in H 
relative to £g if there is no 1 < j < n — 1 such that 



An example of a commutator-type peak is given in llOOl Example l]: 

if ai — CTgg ai2(J7a^ erf 0'7oCT25f''24 and 02 — cr42Cr^g CTgCrfg Cri9CT73Cr33 (722 

then their commutator is a peak: af Cj^ 0102 = cryc^ • 

The main idea behind their new variant of the Length-based attack is 
to add elements from the corresponding subgroup to cut the peaks. By 
an investigation of the types of peaks, one can see that this is done by 
adding to the vector of elements all the conjugators and commutators of 
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its elements. By this way, the Length-based attack wih be more powerfuL 
For more information and for an exact implementation, see llOOl . 



1.8.3.5. Applicability of the length-based approach 

One interesting point about the length-based approach is that it is applica- 
ble not only for the Conjugacy Search Problem, but also for solving equa- 
tions in groups. Hence, it is a threat also to the Decomposition Problem 
and for the Shifted Conjugacy Problem which was introduced by Dehornoy 
(see |30] and Section [1.9.31 below). 

Moreover, the length-based approach is applicable in any group which 
has a reasonable length function, e.g. the Thompson group, as indeed has 
been done by Ruinskiy, Shamir and Tsaban (see llOSi and Section [1.1 1.1. 21 
below). 



1.8.4. Attacks based on linear representations 

A different way to attack these cryptographic schemes is by using linear 
representations of the braid groups. The basic idea is to map the braid 
groups into groups of matrices, in which the Conjugacy Search Problem is 
easy. In this way, we might solve the Conjugacy Search Problem of _B„ by 
lifting the element from the group of matrices back to the braid group i?„. 
For more information on the linear representations of the braid group, 
we refer the reader to the surveys of Birman and Brendle [13] and Paris 



1.8.4.1. The Burau representations 

The best known linear representation of the braid group i?„ is the Burau 
representation [5T]. We present it here (we partially follow [5^). 

The Burau representation is defined as follows. Let Z[i='=-'^] be the ring 
of Laurent polynomials f{t) — att^ -I- Ok+it^^^ + • • • + Omt™' with integer 
coefficients (and possibly with negative degree terms). Let GL„(Z[t^-'^]) be 
the group of n X 71 invertiblc matrices over Z[t*^] . The Burau representation 
is a homomorphism _B„ -^ GL„(Z[f ]) which sends a generator ai G _B„ 
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to the matrix: 



/I 



l-tt 
1 



e GL„(Z[i±i]), 



V y 

where 1 — i occurs in row and column i of the matrix. 

This representation is reducible, since it can be decomposed into the 
trivial representation of dimension 1 and an irreducible representation 
Bn -^ GL„_i(Z[i ]) of dimension ri — 1, called the reduced Burau rep- 
resentation, which sends a generator Ui £ Bn to the matrix: 

/I \ 



C,{t) 



1 

t -t 1 
1 



e GL„_i(Z[i±^]) 



where t occurs in row i of the matrix. If i = 1 or i = n — 1, the matrix is 
truncated accordingly (see [82] '). 

Note that these matrices satisfy the braid group's relations: 

C,{t)Cj{t) = Cj{t)C^(t) for |^ - j| > 2 



C,[t)C^+i{t)C,{t) = a+i(t)C,(i)a+i(i) for I = 1, . . . , n - 1 

The Burau representation of Bn is faithful for n = 3 and it is known 
to be unfaithful for n > 5 (i.e. the map from i?„ to the matrices is not 
injective) [93l [Ml [83l [TO] . The case of n = 4 remains unknown. In the case 
of n > 5, the kernel is very small Il23l . and the probability that different 
braids admit the same Burau image is negligible. 

Here is a variant of the Burau representation introduced by Morton l95l . 
The colored Burau matrix is a refinement of the Burau matrix by assign- 
ing Gi to Ci(ii+i), so that the entries of the resulting matrix have several 
variables. This naive construction does not give a group homomorphism. 
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Thus the induced permutations are considered simuhaneously. We label 
the strands of an n-braid by f i , . . . , t„ , putting the label tj on the strand 
which starts from the jth point on the right. 
Now we define: 

Definition 1.24. Let a G i?„ be given by a word a^^ ■ ■ ■ a'^'' , Cj ~ ±f . Let 
tj^ be the label of the under-crossing strand at the rth crossing. Then the 
colored Burau matrix Ma{ti, . . . , tn) of a is defined by 

k 
r=l 

The permutation group Sn acts on l^t^ , ■ ■ ■ , i„-i] from left by changing 
variables: for a G Sn, a{f{ti, . . . ,i„)) = f{ta(i), ■ ■ -jta^n))- Then 5„ also 
acts on the matrix group GLn-i{Z[t-^ ^, ■ ■ ■ ^t^^]) entry-wise: for a ^ Sn 
and M — (fij), then a{M) — {a{fij)). Then we have 

Definition 1.25. The colored Burau group CBn is: 

Sn^GLn-l{ntt\...,tt^]) 

with multiplication {ai,Mi) ■ (0:2, M2) ~ (ckia2,(a^ Mi)M2)- The col- 
ored Burau representation C : Bn -^ CBn is defined by C{ai) = {{i,i + 
l),Q(i.+i)). 

It is easy to see the following: 

(1) CBn is a group, with identity element (e,/„_i) and {a,M)^^ = 
(a-\aM-i), 

(2) C{aiys satisfy the braid relations and so C : i?„ -^ CBn is a group 
homomorphism . 

(3) for a G Bn, C{a) — {■Ua, Ma), where tt^ is the induced permutation and 
Ma is the colored Burau matrix. 

Using the Burau representation, the idea of Hughes [55] to attack the 
Anshel-Anshel-Goldfeld scheme [HIS] is as follows: take one or several pairs 
of conjugate braids ip,p') associated with the same conjugating braids. 
Now, it is easy to compute their classical Burau image and to solve the 
Conjugate Search Problem in the linear group. 

In general, this is not enough for solving the Conjugate Search Problem 
in Bn, because there is no reason for the conjugating matrix that has been 
found to belong to the image of the Burau representation, or that one can 
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find a possible preimage. Since the kernel of the classical Burau represen- 
tation is small [l23i . there is a non- negligible probability that we will find 
the correct conjugator and hence we break the cryptosystem. 

In a different direction, Lee and Lee l82l indicate a weakness in the 
Anshel-Anshel-Goldfeld protocol in a different point. Their shared key is 
the colored Burau representation of a commutator element. 

The motivation for this attack is that despite the change of variables 
in the colored Burau matrix by permutations, the matrix in the final out- 
put, which is the shared key, is more manageable than braids. They show 
that the security of the key-exchange protocol is based on the problems of 
listing all solutions to some Multiple Simultaneous Conjugacy Problems in 
a permutation group and in a matrix group over a finite field. So if both 
of the two listing problems are feasible, then we can guess correctly the 
shared key, without solving the Multiple Simultaneous Conjugacy Problem 
in braid groups. 

Note that Lee-Lee attack is special to this protocol, since it uses the 
colored Burau representation of a commutator element, instead of using 
the element itself. In case we change the representation in the protocol, 
this attack is useless. 

1.8.4.2. The Lawrence- Krammer representation 

The Lawrence-Krammer representation is another linear representation of 
Bm which is faithful [TTJ[74]. It associates with every braid in Bn a matrix 
of size (2) with entries in a 2-variable Laurent polynomial ring Z[t='=^, 5^^]. 

Cheon and Jun f24| develop an attack against the scheme of Diffie- 
Hellman-type protocol based on the Lawrence-Krammer representation: as 
in the case of the Burau representation, it is easy to compute the images of 
the involved braids in the linear group and to solve the Conjugacy Problem 
there, but in general, there is no way to lift the solution back to the braid 
groups. 

But, since we only have to find a solution to the derived Diffie-Hellman- 
like Conjugacy Problem: 

Problem 1.5. Given p, sps^^ and rpr~^ , with r £ LBn and s G UBn, find 
{rs)p(rs)~^ . 

Taking advantage of the particular form of the Lawrence-Krammer ma- 
trices, which contain many O's, Cheon and Jun obtain a solution with a 
polynomial complexity and they show that, for the parameters suggested 
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by Ko et al. |72], the procedure is doable, and so the cryptosystem is not 
secure. 



1.9. Newly suggested braid group cryptosystems, their 
cryptanalysis and their future applications 

In this section, we present recent updates on some problems in the braid 
group, on which one can construct a cryptosystem. We also discuss some 
newly suggested braid group cryptosystems. 



1.9.1. Cycling problem as a potential hard problem 

In their fundamental paper, Ko et al. 1721 suggested some problems which 
can be considered as hard problems, on which one can construct a cryp- 
tosystem. One of the problems is the Cycling Problem: 

Problem 1.6. Given a braid y and a positive integer t such that y is in 
the image of the operator c*. Find a braid x such that c^{x) = y. 

Maffre, in his thesis [86], shows that the Cycling Problem for t = 1 has 
a very efficient solution. That is, if y is the cycling of some braid, then one 
can find x such that c(a;) = y very fast. 

Following this result, Gebhardt and Gonzales-Meneses [SH have shown 
that the general Cycling Problem has a polynomial solution. The reason 
for that is the following result: The cycling operation is surjective on the 
braid group [54;. Hence, one can easily find the tth preimage of y under 
this operation. 

Note that the decycling operation and cyclic sliding operation are sur- 
jective too (the decycling operation is a composition of surjective maps: 
d(a;) = {t{c{x^^J))^^ , and the cyclic shding operation can be written as a 
composition of a cycling and a decycling [55l Lemma 3.8]). Hence, these 
problems cannot be considered as hard problems, on which one can con- 
struct a cryptosystem [60l . 

It will be interesting to find new operations on the braid group which 
their solution can be consider as an hard problem, on which one can con- 
struct a cryptosystem. 
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1.9.2. A cryptosystem based on the shortest braid problem 

A different type of problem consists in finding the shortest words represent- 
ing a given braid (see Dehornoy [IHl Section 4.5.2]). This problem depends 
on a given choice of a distinguished family of generators for i3„, e.g., the 
(Ti's or the band generators of Birman-Ko-Lee. 

We consider this problem in Boo which is the group generated by an 
infinite sequences of generators {cti, 172, • ■ • } subject to the usual braid re- 
lations. 

The Minimal Length Problem (or Shortest Word Problem) is: 

Problem 1.7. Starting with a word w in the a^ 's, find the shortest word 
w' which is equivalent to w, i.e., that satisfies w' = w. 

This problem is considered to be hard due to the following result of 
Paterson and Razborov Il04l : 

Prop 1.9. The Minimal Length Problem (in Artin's presentation) is co- 
NP-complete. 

This suggests introducing new schemes in which the secret key is a short 
braid word, and the public key is another longer equivalent braid word. It 
must be noted that the NP-hardness result holds in Boo only, but it is not 
known in Bn for fixed n. 

The advantage of using an NP-complete problem lies in the possibility 
of proving that some instances are difficult; however, from the point of view 
of cryptography, the problem is not to prove that some specific instances 
are difficult (worst-case complexity), but rather to construct relatively large 
families of provably difficult instances in which the keys may be randomly 
chosen. 

Based on some experiments, Dehornoy [29] suggests that braids of the 
form wlal^ , (72^ , • ■ ■ , cr^" ) with e^ = ±1, i.e., braids in which, for each i, at 
least one of Ui or a~ does not occur, could be relevant. 

The possible problem of this approach is that the shortest word problem 
in Bn for a fixed n is not so hard. In B^, there is polynomial-time algorithms 
for the shortest word problem (see [8j and [124. for the presentation by the 
Artin generators and Il25l for the presentation by band generators). Also, 
this problem was solved in polynomial time in B4 for the presentation by the 
band generators (f70' and \5T\ Chapter 5]). For small fixed n, Wiest Il24l 
conjectures for an efficient algorithm for finding shortest representatives in 
Bn. Also, an unpublished work 1501 indicates that a heuristic algorithm 
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based on a random walk on the Cayley graph of the braid group might give 
good results in solving the Shortest Word Problem. 

In any case, a further research is needed here in several directions: 

(1) Cryptosystem direction: Can one suggest a cryptosystem based 
on the shortest word problem in Boo, for using its hardness due to 
Paterson-Razborov? 

(2) Cryptanalysis direction: What is the final status of the shortest 
word problem in i?„ for a fixed n? 

(3) Cryptanalysis direction: What is the hardness of the Shortest Word 
Problem in the Birman-Ko-Lee's presentation? 

1.9.3. A cryptosystem based on the Shifted Conjugacy 
Search Problem 

Dehornoy |30] has suggested an authentication scheme which is based on 
the Shifted Conjugacy Search Problem. 

Before we describe the scheme, let us define the Shifted Conjugacy 
Search Problem. Let x,y & Boo- We define: 

X * y = X ■ dy ■ (Ji ■ dx^ 

where dx is the shift of x in Boo, i-e. d is the injective function on Boo 
which sends the generator <Ti to the generator (Ti+i for each i > 1. In this 
context, the Shifted Conjugacy Search Problem is: 

Problem 1.8. Let s,p £ Boo cind p' — s * p. Find a braid s satisfying 
p' — s * p. 

Now, the suggested scheme is based on the Fiat-Shamir authentication 
scheme: We assume that S* is a set and {Fs)s£S is a family of functions of 
S to itself that satisfies the following condition: 

FriFM) = FF^{s){Fr{p)), r,s,peS 

Alice is the prover who wants to convince Bob that she knows the secret 
key s. Then the scheme works as follows: 

Protocol 1.26. 

Public key: Two elements p,p' ^ S such that p' = Fs{p). 
Private keys: Alice: s S 5*. 

Alice: Chooses a random r e 5* and sends Bob x = Fr{p) and x' = 

Frip'). 
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Boh: Chooses a random bit c and sends it to Alice. 

Alice: If c = 0, sends y = r (then Bob checks: x = Fy{p) and x' = 

If c = 1, sends y ~ Fr{s) (then Bob checks: x' = Fy{x)). 

Dehornoy [HU] suggests to implement this scheme on Left- 
Distributive(LD)-systems. A LD-system is a set S with a binary operation 
which satisfies: 

r '^ (s * p) — (r * s) * (r * p). 

The Fiat-Shamir-type scheme on LD-systems works as follows: 

Protocol 1.27. 

Public key: Two elements p,p' € S such that p' = s * p. 
Private keys: Alice: s € S. 

Alice: Chooses a random r (z S and sends Bob x — r *p and x' — r *p'. 
Boh: Chooses a random bit c and sends it to Alice. 
Alice: If c = 0, sends y = r (then Bob checks: x — y*p and x' — y *p'); 
If c = 1, sends y = r * s (then Bob checks: x' — y * x). 

Now, one can use the shifted conjugacy operation as the * operation 
on Boo in order to get a LD-system. So, in this way, one can achieve an 
authentication scheme on the braid group with a non-trivial operation 1301 . 

Remark 1.6. For attacking the Shifted Conjugacy Search Problem, one 
cannot use the Summit Sets theory, since it is not a conjugation problem 
anymore. Nevertheless, one still can apply on it the length-based attack, 
since it is still an equation with x. 

Longrigg and Ushakov [84J cryptanalyze the suggestion of Dehornoy, and 
they show that they can break the scheme (e.g. 24% of success rate for keys 
of length 100 in B40). Their idea is that in general cases they can reduce the 
Shifted Conjugacy Search Problem into the well-studied Conjugacy Search 
Problem. Based on some simple results, they construct an algorithm for 
solving the Shifted Conjugacy Search Problem in two steps: 

(1) Find a solution s' G Bn+i for the equation p'S^^^ — s'd{p)aiS^^i in 
Bn+i- This part can be done using the relevant Ultra Summit Set. 

(2) Correct the element s' G Bn+i to obtain a solution s € B„. This can 
be done by finding a suitable element c G CB„^i{d{p)aiS~^i) (the cen- 
tralizer of d{p)aiS^_^-^ in Bn+i). 
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The algorithm for computing centrahzers presented in l45l is based on 
computing the Super Summit Set, which is hard in general (note that 
actually the Super Summit Set can be replaced by the Ultra Summit 
Set and the Sliding Circuits set in Franco and Gonzalez-Meneses' al- 
gorithm f60 ). Hence, Longrigg and Ushakov use some subgroup of the 
centralizer which is much easier to work with. 

In the last part of their paper, they discuss possibilities for hard in- 
stances for Dehornoy's scheme, which will resist their attack. Their attack 
is based on two ingredients: 

(1) The Conjugacy Search Problem is easy for the pair 

in Bn+i. 

(2) The centralizer Cs,^^^(d(p)cri(5,7+i) is "small" (i.e. isomorphic to an 
Abelian group of small rank) . 

Hence, if one can find keys for which one of the properties above is not 
satisfied, then the attack probably fails. 

With respect to this scheme, it is interesting to check (see also |30l ): 

(1) Cryptanalysis direction: What is the success rate of a length-based 
attack on this scheme? 

(2) Cryptanalysis direction: Can one develop a theory for the Shifted 
Conjugacy Search Problem which will be parallel to the Summit Sets 
theory? 

(3) Cryptosystem direction: Can one suggest a LD-system on the braid 
group, which will be secure for the length-based attack? 

(4) Cryptosystem direction: Can one find keys for which the properties 
above are not satisfied, and for which Longrigg-Ushakov's attack fails? 

(5) Cryptosystem direction: Can one suggest a LD-system on a differ- 
ent group, which will be secure? 

1.9.4. Algebraic Eraser 

Recently, Anshel, Anshcl, Goldfeld and 

Lemieux (51 introduce a new scheme for a cryptosystem which is based 
on combinatorial group theory. We will present here the main ideas of the 
scheme and the potential attacks on it. 
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1.9.4.1. The scheme and the implementation 

We follow the presentation of [69| • Let G be a group acting on a monoid M 
on the left, that is, to each g £ G and each a € M , we associate a unique 
element denoted ^a G M, such that: 

^a:^a:, ^''a^^i^a); s{ab)=^a-Sb 

for all a,b E M and g,h E G. The set M x G, with the operation (a, g) o 
{b, h) = (a -^ b, gh) is a monoid, which is denoted by M xi G. 

Let A'^ be a monoid, and ip : M ^ N a homomorphism. The algebraic 
eraser operation is the function -k : {N x G) x {M x G) ^ {N x G) defined 
by: 

{a,g)-k{b,h) = iaip{%),gh) 

The function • satisfies the following identity: 

((a, g) ^ {b, h)) ^ (c, r) = (a, g) • ((6, h) o (c, r)) 

for aU {a,g) eN xG and (6, /i), (c, r) e A/ >^ G. 

We say that two submonoids ^, _B of Af x G are ^-commuting if 

{ip{a),g) • (6, h) = {f{b),h) • (a, 5) 

for all (a, 5) e A and (6, /i) G B. In particular, if A, B •-commute, then: 
(p{a)ip{3b) = <fi{b)ifi{''a) for all (a,.g) £ A and (6, ft.) £ B. 

Based on these settings, Anshel, Anshel, Goldfeld and Lemieux suggest 
the Algebraic Eraser Key Agreement Scheme. It consists on the following 
public information: 

(1) A positive integer m. 

(2) •-commuting submonoids A, B of A/ xi G, each given in terms of a 
generating set of size k. 

(3) Elementwise commuting submonoids G, D of N. 

Here is the protocol: 

Protocol 1.28. 

Alice: Chooses c & C and (ai, 51), . . . , (a™, gm) G A, and sends (p, g) = 
(c, l)^(ai, (7i)^- ■ ••(«„, (7m) E N X G (where the •-multiplication is carried 
out from left to right) to Bob. 

Bob: Chooses d G D and (61, hi), . . . , {bm, h„i) G B, and sends (q, h) = 
{d, 1) • (61, fti) • • • • • (6,„, /i„i) G A^ X G to Alice. 
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Alice and Bob can compute the shared key: 

{cq,h) -k (ai,5i) * ■ • • * (a,„,g,„) = {dp,g) -k (bi, hi) -k ■ ■ ■ -k (&„j,/i,„) 

For the reason why it is indeed a shared key, see [6J and 1691 . 

Anshel, Anshel, Goldfeld and Lemieux apply their general scheme to 
a particular case, which they call Colored Burau Key Agreement Protocol 
(CBKAP): 

Fix a positive integers n and r, and a prime number p. Let G = Sn, the 
symmetric group on the n symbols {l,...,n}. The group G = Sn acts 
on GLn(¥p{ti, . . . ,tn)) by permuting the variables {ii, . . . ,t„} (note that 
in this case the monoid M is in fact a group, and hence, the semi-direct 
product M ys G also forms a group, with inversion (a, g)~^ = (^ a~^,g~^) 
for all (a, 5) G M >i G). 

Let N = GLn{¥p). The group M x 5„ is the subgroup of 
GL„(Fp(ii,. ..,<„)) >^ Sn, generated by (xi, si), . . . , (x„_i, s„_i), where 
Si = {i,i + 1), and Xi — Gi{ti) (see page [SD] above), for i = 2, . . . , n — 1. 
Recall that the colored Burau group Af x G is a representation of Artin's 
braid group i?„, determined by mapping each Artin generator ai to {xi, Si), 
i = 1, . . . , n — 1. 

ip : M ^ GLn{¥p) is the evaluation map sending each variable ti to a 
fixed element r e ¥p. Let G = D = ¥p{K) is the group of matrices of the 
form: 

with K £ GLn{¥p) of order p" — 1, ^1, . . . , f^ G Fp, and ji, . . . , jr G Z. 

Commuting subgroups of M x G are chosen in a similar way to LBn 
and t/i3„ in Section 11.6.2.21 This part is done by a Trusted Third Party 
(TTP), before the key-exchange protocol starts. 

Fix /i, I2 C {1, . . . , n — 1} such that for all i G /i and j G I2, \i — j\ > 2, 
and |/i| and I/2I are both < n/2. Then, define L = {ai : i £ Ii) and 
U = {(Tj : j G I2), subgroups of i?„ generated by Artin generators. From 
the construction of /i and I2 , L and U commute elementwise. Add to both 
groups the central element A^ of i?„. 

Now, they choose a secret random z G Bn- Next, they choose 
wi = zw[z"^, . . . ,Wk — zw'i^z^^ G zLz^^ and vi = zv[z^^, . . . ,Vk = 
zv'f^z^^ G zU z^^ , each a product of i-many generators. Transform them 
into Garside's normal form, and remove all even powers of A. Reuse the 
names wi, . . . , iffc; wi, . . . , Wfc for the resulting braids. These braids are made 
public. 



April 16, 2009 22:45 World Scientific Review Volume - 9in x 6in BGCiecturenotes'fina! 



60 David Garber 

Anshcl, Anshcl, Goldfeld and Lemieux have cryptanalyzed their scheme 
and the TTP protocol, and conclude that if the conjugating element z is 
known, there is a successful linear algebraic attack on CBKAP (see [H 
Section 6]). On the other hand, if z is not known, this attack cannot 
be implemented. Moreover, they claim that the length-based attack is 
ineffective against CBKAP because Wi and Vi are not known and for some 
more reasons. 

1.9.4.2. The attacks 

There are several attacks on this cryptosystem. Kalka, Teicher and Tsaban 
[551 attack the general scheme and then show that the attack can be applied 
to CBKAP, the specific implementation of the scheme. 

For the general scheme, they show that the secret part of the shared 
key can be computed (under some assumptions, which also include the 
assumption that the keys are chosen with standard distributions). They do 
it in two steps: First they compute d and Lp{h) up to a scalar, and using 
that they can compute the secret part of the shared key. They remark that 
if the keys are chosen by a distribution different from the standard, it is 
possible that this attack is useless (see |69l Section 8] for a discussion on 
this point). 

In the next part, they show that the assumptions are indeed satisfied 
for the specific implementation of the scheme. The first two assumptions 
(that it is possible to generate an element (a, 1) G A with a ^ 1, and that 
A^ is a subgroup of G'L„(F) for some field F and some n) can be easily 
checked. The third assumption (that given an element g € (si,...,Sfe), 
where (ai, si), . . . , (a^, Sk) G il/ x G are the given generators of A, then g 
can be exphcitly expressed as a product of elements of {s^ , . . . , s^}), can 
be reformulated as the Membership Search Problem in generic permutation 
groups : 

Problem 1.9. Given random si,...,Sfc G Sn and s G (si,...,Sfe), ex- 
press s as a short (i.e. of polynomial length) product of elements from 

They provide a simple and very efficient heuristic algorithm for solving 
this problem in generic permutation groups. The algorithm gives expres- 
sions of length 0{n^\og{n)), in time 0(n^log(n)) and space 0(n^log(n)), 
and is the first practical one for n > 256. Hence, the third assumption is 
satisfied too. So the attack can be applied to the CBKAP implementation. 



April 16, 2009 22:45 World Scientific Review Volume - 9in x 6in BGCiecturenotes'fina! 



Braid Group Cryptography 61 

Myasnikov and Ushakov llOli attack the scheme of Anshel, Anshel, 
Goldfeld and Lemieux from a different direction. Anshel, Anshel, Goldfeld 
and Lemieux [6] discuss the security of their scheme and indicate that if 
the conjugator z generated randomly by the TTP algorithm is known, then 
one can attack their scheme by an efficient linear attack, which can reveal 
the shared key of the parties. The problem of recovering the exact z seems 
like a very difficult mathematical problem since it reduces to solving the 
system of equations: 



_ Vk = A^"-" zv'i,z-^ 

which has too many unknowns, since only the left hand sides are known. 
Hence, it might be difficult to find the original z. 

The attack of Myasnikov and Ushakov is a variant of the length-based 
attack. It is based on the observation that actually any solution z' for the 
system of equations above can be used in a linear attack on the scheme. 
Hence, they start by recovering the powers of A which were added, so one 
can peel the A^p part. In the next step, they succeed in revealing the 
conjugator z (or any equivalent solution z'). 

Experimental results with instances of the TTP protocol generated us- 
ing \z\ = 50 (which is almost three times greater than the suggested value) 
showed 100% success rate. They indicate that the attack may fail when the 
length of z is large relative to the length of A^ (for more details, see llOl) 
Section 3.4]). 

Chowdhury [23 shows that the suggested implementation of the Alge- 
braic Eraser scheme to the braid group (the TTP protocol) is actually based 
on the Multiple Simultaneous Conjugacy Search Problem, and then it can 
be cracked. He gives some algorithms for attacking the implementation. 

It will be interesting to continue the research on the Algebraic Eraser 
key-agreement scheme in several directions: 

(1) Cryptosystem direction: Can one suggest a different distribution 
for the choice of keys, so the cryptosystem can resist the attack of 
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Kalka-Teichcr-Tsaban? 

(2) Cryptosystem direction: Can one suggest a different implementa- 
tion (different groups, etc.) for the Algebraic Eraser scheme which can 
resist the attack of Kalka-Teicher-Tsaban? 

(3) Cryptanalysis direction: Can the usual length-based approach [48] 
be applied to attack the TTP protocol? 

(4) General: One should perform a rigorous analysis of the algorithm of 
Kalka-Teicher-Tsaban for the Membership Search Problem in generic 
permutation groups (see [5S1 Section 8]). 

1.9.5. Cryptosystems based on the decomposition problem 
and the triple decomposition problem 

This section deals with two cryptosystems which are based on different 
variants of the decomposition problem: Given a,b ~ xay S G, find x, y. 

Shpilrain and Ushakov Ill3l suggest the following protocol, which is 
based on the decomposition problem: 

Protocol 1.29. 

Public key: w (z G. 

Alice: chooses an element ai G G of length i, chooses a subgroup of the 
centralizer Cciai), and publishes its generators A = {ai, . . . ,ak}- 

Bob: chooses an element &2 G G of length £, chooses a subgroup of 
Gg(^2), and pubHshes its generators B = {/3i, . . . , /S^}- 

Alice: chooses a random element 02 e (B) and sends publicly the normal 
form Pa — N{aiwa2) to Bob. 

Bob: chooses a random element bi G {A) and sends publicly the normal 
form Pb = N{biwb2) to Alice. 

Shared secret key: Ka = aiPBa2 = 6iPa62 = Kb- 

Since aibi = bioi and 0262 = ^2^27 we indeed have K = Ka = Kb, the 
shared secret key. Alice can compute Ka and Bob can compute Kb- 

They suggest the following values of parameters for the protocol: G = 
Bq4, i = 1024. For computing the centrahzers, Alice and Bob should 
use the algorithm from [45], but actually they have to compute only some 
elements from them and not the whole sets. 

Two key-exchange protocols which are based on a variant of the de- 
composition problem have been suggested by Kurt [75]. We describe here 
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the second protocol which is an extension of the protocol of Shpilrain and 
Ushakov to the triple decomposition problem: 

Problem 1.10. Given v — x^ a2X2, find xi E H,a2 E A and X2 G H' 
where H = Ccigi, ■ ■ ■,gkt),H' = Ccig'i, ■ • ■ ,g'kj, and A is a subgroup of 
G given by its generators. 

Here is Kurt's second protocol (his first protocol is similar): Let G be 
a non-commutative monoid with a large number of invertible elements. 

Protocol 1.30. 

Alice: picks two invertible elements xi,a;2 G G, chooses subsets Sx^ Q 
Gg{xi) and Sx2 ^ Cg{x2), and publishes Sxi and Sx2- 

Bob: picks two invertible elements j/1,2/2 G G, chooses subsets Sy-^ C 
Cg (j/i) and 5*^2 C Cg(?/2), and publishes Sy-^ and Sy^. 

Alice: chooses random elements ai G G, 02 G Sy-^ and 03 G 5*^2 as 
her private keys. She sends Bob publicly {u,v,w) where u = aixi, v = 
Xi 02X2, w = X2 03. 

Bob: chooses random elements 61 G Sx^^, 62 G Sx2 and 63 G G as 
his private keys. He sends Alice publicly {p,q,r) where p = biyi, q = 
2/r^^22/2, r = y2^b3. 

Shared secret key: K — 0161026203^3- 

Indeed, ii' is a shared key, since Alice can compute aipa2qa3r = 
016102620363 and Bob can compute ubivb2wb3 — 0161O262O363. 

As parameters, Kurt suggests to use G — i?ioo and each secret key 
should be of length 300 Artin generators. 

Chowdhury [221 attacks the two protocols of Kurt, by observing that by 
some manipulations one can gather the secret information by solving only 
the Multiple Simultaneous Conjugacy Search Problem. Hence, the security 
of Kurt's protocols is based on the solution of the Multiple Simultaneous 
Conjugacy Search Problem. Since the Multiple Simultaneous Conjugacy 
Search Problem can be attacked by several methods, Chowdhury has actu- 
ally shown that Kurt's protocols are not secure. 

Although Shpilrain and Ushakov indicate that their key-exchange 
scheme resists length-based attack, it will be interesting to check if this 
indeed is the situation. Also, it is interesting to check if one can change 
the secrets of Kurt's protocols in such a way that it cannot be revealed by 
just solving the Simultaneous Conjugacy Search Problem. If such a change 
exists, one should check if the new scheme resists length-based attacks. 
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1.10. Future directions I: Alternate distributions 

In this section and in the next section, we discuss some more future direc- 
tions of research in this area and related areas. This section deals the in- 
teresting option of changing the distribution of the generators. In this way, 
one can increase the security of cryptosystems which are vulnerable when 
assuming a standard distribution. In the next section, we deal with some 
suggestions of cryptosystems which are based on different non-commutative 
groups, apart from the braid group. 

For overcoming some of the attacks, one can try to change the distribu- 
tion of the generators. For example, one can require that if the generator 
ai appears, then in the next place we give more probability for the appear- 
ance of (Ti±i. In general, such a situation is called a Markov walk, i.e. the 
distribution of the choice of the next generator depends on the choice of 
the current chosen generator. 

A work in this direction is the paper of Maffre [88 . After suggesting 
a deterministic polynomial algorithm that reduces the Conjugacy Search 
Problem in braid group (by a partial factorization of the secret), he proposes 
a new random generator of keys which is secure against his attack and the 
one of Hofheinz and Steinwandt l65l . 

This situation appears also in the Algebraic Eraser scheme (Section 
ll.9.4p . The attack of Kalka, Teicher and Tsaban [69] assumes that the 
distribution of the generators is standard. They indicate that if the distri- 
bution is not standard, it is possible that the attack fails. 



1.11. Future directions II: Cryptosystems based on different 
non-commutative groups 

The protocols presented here for the braid groups can be applied to other 
non-commutative groups, so the natural question here is: 

Problem 1.11. Can one suggest a different non- commutative group where 
the existing protocols on the braid group can he applied, and the cryptosys- 
tem will be secure? 



We survey here some suggestions. 
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1.11.1. Thompson group 

When some of the cryptosystems on the braid groups were attacked, it was 
natural to look for different groups, with a hope that a similar cryptosys- 
tem on a different group will be more secure and more successful. The 
Thompson group is a natural candidate for such a group: there is a normal 
form which can computed cfhciently, but the decomposition problem seems 
difficult. On this base, Shpilrain and Ushakov |ll2l suggest a cryptosystem. 
In this section, we will define the Thompson group, the Shpilrain- 
Ushakov cryptosystem, and we discuss its cryptanalysis. 

1.11.1.1. Definitions and the Shpilrain- Ushakov cryptosystem 

Thompson's group F is the infinite non-commutative group defined by the 
following generators and relations: 

F^{ a;o,a;i,a;2, . . . | x~^XkXi ^ Xk+i {k > i) ) 
Each w d F admits a unique normal form 1221 : 

W X^-^ • • • X^^Xj^ • • • Xj_^ , 

where «i < • • • < v, Ji < • • • < it, and if Xi and x~ both occur in this 
form, then either x^+i or x~,^ occurs as well. The transformation of an 
element of F into its normal form is very efficient 11121 . 

We define here a natural length function on the Thompson group: 



Definition 1.31. The normal form length of an element w e F, LNF(ti;), 



is the number of generators in its normal form: If w == x,, • • • x, x,- • • • x. 



is in normal form, then LNF(ii;) = r + i. 

Shpilrain and Ushakov [112 suggest the following key-exchange protocol 
based on the Thompson group: 

Protocol 1.32. 

Public subgroups: A, B, W of -F, where ah = ha for all a G A, 6 £ _B 

Public key: a braid w G W . 

Private keys: Alice: ai £ A, 6i G B] Bob: 02 G A, 62 G B. 

Alice: Sends Bob ui = aiwhi. 
Bob: Sends Alice U2 — 62^02 

Shared secret key: K — aih2wa2hi 
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X is a shared key since Alice can compute K = aiU2&i and Bob can 
compute K = 62^102, and both are equal to K since ai, 02 commute with 

&1,&2- 

Here is a suggestion for implementing the cryptosystem Ill2l : Fix a nat- 
ural number s > 2. Let Sa = {xox^ , . . . jXqxJ^}, Sb = {a:s+i, ■ ■ • ,X2s} 
and Sw = {xoi ■ ■ ■ , Xs+2}- Denote by A, B and W the subgroups of F gen- 
erated by Sa, Sb, and Sw, respectively. A and B commute elementwise, 
as required. 

The keys 01,02 G A, 61,62 G B and w € W are all chosen of normal 
form length L, where L is a fixed integer, as follows: Let X he A, B or 
W . Start with the unit word, and multiply it on the right by a (uniformly) 
randomly selected generator, inverted with probability ^, from the set Sx- 
Continue this procedure until the normal form of the word has length L. 

For practical implementation of the protocol, it is suggested in 11121 to 
use s e {3, 4, . . . , 8} and L e {256, 258, . . . , 320}. 

1.11.1.2. Length-based attack 

We present some attacks on the Ushakov-Shpilrain cryptosystem. 

As mentioned before, the length-based attack is applicable for any group 
with a reasonable length function. Ruinskiy, Shamir and Tsaban IIO8I 
applied this attack to the Thompson group. 

As before, the basic length-based attack without memory always fails for 
the suggested parameters. If we add the memory approach, there is some 
improvement: for a memory of size 1024, there is 11% success. But if the 
memory is small (up to 64), even the memory approach always fails. They 
suggest that the reason for this phenomenon (in contrast to a significant 
success for the length-based attack with memory on the braid group) is 
that the braid group is much closer to the free group than the Thompson 
group, which is relatively close to an abelian group. 

Their improvement is trying to avoid repetitions. The problem is that 
many elements return over and over again, and hence the algorithm goes 
into loops which make its way to the solution much difficult. The solution 
of this is holding a list of the already-checked conjugators, and when we 
generate a new conjugator, we check in the list if it has already appeared 
(this part is implemented by a hash table). In case of appearance, we just 
ignore it. This improvement increases significantly the success rate of the 
algorithm: instead of 11% for a memory of size 1024, we now have 49.8%, 
and instead of 0% for a memory of size 64, we now have 24%. 
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In the same paper llOSl . they suggest some m.ore improvements for 
the length-based algorithm. One of their reasons for continuing with the 
improvements is the following interesting fact which was pointed out by 
Shpilrain lllll : there is a very simple fix for key-agreement protocols that 
are broken in probability less than p: Agree on k independent keys in 
parallel, and XOR them all to obtain the shared key. The probability of 
breaking the shared key is at most p'', which is much smaller. 

In a different paper, Ruinskiy, Shamir and Tsaban Ill6l attack the key 
agreement protocols based on non-commutative groups from a different 
direction: by using functions that estimate the distance of a group element 
to a given subgroup. It is known that in general the Membership Problem 
is hard, but one can use some heuristic approaches for determining the 
distance of an element to a given subgroup, e.g., to count the number of 
generators which are not in the subgroup. 

They test it against the Shpilrain-Ushakov protocol, which is based on 
Thompson's group F, and show that it can break about half the keys within 
a few seconds. 

1.11.1.3. Special attack by Matucci 

Some interesting special attack for the Ushakov-Shpilrain cryptosystem can 
be found in Kassabov and Matucci [91 and Mattuci [90] . 

1.11.2. Poly cyclic groups 

Eick and Kahrobaei [41j suggest to use polycyclic groups as the basis of a 
cryptosystem. These groups are a natural generalization of cyclic groups, 
but they are much more complex in their structure than cyclic groups. 
Hence, their algorithmic theory is more difficult and thus it seems promising 
to investigate classes of polycyclic groups as candidates to have a more 
substantial platform perhaps more secure. 

Here is one presentation for polycyclic groups: 

(ai,...,a„ I arla^a, = ^^j- , a; a^- a " 1 =^ij:-^l'' ="fcfc, tor 1 < i < j < „, fee /) 

where / C {l,...,?i} and r^ G N if i G / and the right hand sides 
Wij, Vij, Ujj of the relations are words in the generators a^+i, . . . , a„. Using 
induction, it is straightforward to show that every element in the group de- 
fined by this presentation can be written in the form a^^ ■ ■ ■ a^" with e^ G Z 
and < e^ < Ti if i G / (see 11191 for more information). 
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Eick and Kahrobaei introduce a Difiic-Hcllnian-type key-exchange which 
is based on the polycychc group. As in the braid groups' case, the cryp- 
tosystem is based on the fact that the word problem can be solved effectively 
in poly cyclic groups, while the known solutions to the conjugacy problem 
are far less efficient. For more information, see l4ll . 

In a different direction, Kahrobaei and Khan l68l introduce a non- 
commutative key-exchange scheme which generalizes the classical El-Gamal 
Cipher [42] to polycyclic groups. 

1.11.3. Miller groups 

Mahalanobis ,89] suggested some Diffie-Hellman-type exchange key on 
Miller Groups [92] , which are groups with an abelian automorphism group. 

1.11.4. Grigorchuk group 

Garzon and Zalcstein '52' suggest a cryptosystem which is based on the 
word problem of the Grigorchuk group [62] ■ Both Petrides llOSl and 
Gonzalez- Vasco, Hofheinz, Martinez and Steinwandt [61] cryptanalyze this 
cryptosystem. 

The Conjugacy Decision Problem in this group is also polynomial [85l . 
so this problem cannot be served as a base for a cryptosystem. 

1.11.5. Twisted conjugacy problem in the semigroup of 2x2 
matrices over polynomials 

Shpilrain and Ushakov [114| suggest an authentication scheme which is 
based on the twisted conjugacy search problem: 

Problem 1.12. Given a pair of endomorphisms (i.e., honiomorphisnis into 
itself) Lp,ip of a group G and a pair of elements w,t £ G, find an element 
s d G such that t = ip{s~^)w(p{s) provided at least one such s exists. 

Their suggested platform semigroup G is the semigroup of all 2 x 2 
matrices over truncated one- variable polynomials over F2 , the field of two 
elements. For more details, see their paper. 
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